ERROR: Connection dropped by imap server: Query: SELECT "INBOX"

If you get the following error when trying to connect to your webmail client:

ERROR: Connection dropped by imap server

Check your /var/log/maillog for any dovecot clues.

It may be that the dovecot indexes are corrupted (sometimes happens between dovecot versions), so the fix is to simply purge the indexes, eg:

cd /home/username/imap/
rm -f dovecot*

When you login to dovecot (either via webmail or email client) the index will be re-created, and you should be good to go.

Why do I get shadow(, unknown user?

Dovecot uses 2 separate login databases to authenticate.

One is for the system passwords. This is called "shadow" and uses the /etc/shadow file. The other is for virtual accounts. They live in the /etc/virtual/ files.

A valid email account of either type will only exist in one of these databases, not both, but both are checked to attempt to validate the user. If the email account does not exist in the first one, then the error will show up, even though it exists in the 2nd database. This is normal.

Sample message

Nov  7 00:59:47 server dovecot[13778]: auth(default): shadow(, unknown user
Nov  7 00:59:47 server dovecot[13778]: auth(default): passwd(, unknown user

You can hide these errors by setting

auth_verbose = no
auth_debug = no

in the "## Authentication processes" section of your /etc/dovecot/dovecot.conf

How to manually check the certificate for imap on port 143 or 993

As more servers and mail clients are requiring valid certificates for mail servers, you might need to view the certificate data to see what's currently set.

To check the 143 port:

openssl s_client -connect -starttls imap -servername

To check the 993 port:

openssl s_client -connect -servername


The "CN" value, or "Common Name", will be the current host value set inside the certificate.

You'll be looking for the subject after the certificate output, so in the case of our mail server, we have a wildcard, so the important bits would look like:

subject=/OU=Domain Control Validated/CN=*

Once run, you'll actually be connected to the remote server, to exit the current IMAP session just type:

01 logout

If it is a self-signed certificate, you'll see this in the "SSL-Session:" header:

   Verify return code: 18 (self signed certificate)

Note, the "-servername" is used to specify the ssl host, if your dovecot is running SNI to allow for multiple certificates.

Last Updated: