This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.


Dovecot supports logging post-login IMAP/POP3 traffic (also TLS/SSL encrypted) using rawlog binary. It works by checking if dovecot.rawlog/ directory exists in the logged in user's home directory, and writing the traffic to and .out files. Each connection gets their own in/out files. Rawlog will simply skip users who don't have the dovecot.rawlog/ directory and the performance impact for those users is minimal.

Home directory

Note that for rawlog to work, your userdb must have returned a home directory for the user. If you can't get rawlog to work, you should verify that the home directory really is where you expected it to be by setting mail_debug=yes and checking the logs. You should see a line such as:

Effective uid=1000, gid=1000, home=/home/user

In above configuration rawlog would expect to find /home/user/dovecot.rawlog/ directory writable by uid 1000.

If your userdb doesn't have a home directory, with v2.1+ you can add:

userdb {
  # ...
  default_fields = home=/home/%u
  # or temporarily even e.g. default_fields = home=/tmp/temp-home


To enable rawlog, you must use rawlog as a post-login script:

service imap {
  executable = imap postlogin
service pop3 {
  executable = pop3 postlogin

service postlogin {
  executable = script-login -d rawlog
  unix_listener postlogin {

You can also give parameters to rawlog:

Pre-login rawlog (v2.1+)

You can enable pre-login rawlog for all users by telling the login processes to log to a rawlog directory, for example:

service imap-login {
  executable = imap-login -R rawlogs

This tries to write the rawlogs under $base_dir/login/rawlogs directory. You need to create it first with enough write permissions, e.g.:

mkdir /var/run/dovecot/login/rawlogs
chown dovenull /var/run/dovecot/login/rawlogs
chmod 0700 /var/run/dovecot/login/rawlogs

Debugging/Rawlog (last edited 2016-03-01 10:34:41 by TimoSirainen)