KnowledgebaseMail Server › Connecting Thunderbird, iOS, and Android to your IMAP server

Connecting Thunderbird, iOS, and Android to your IMAP server

You've got Postfix + Dovecot running on your VPS. Now you want your laptop and phone to actually read and send mail through it. This article walks the client-side setup for the three platforms most LYLIX customers use, and covers the gotchas that aren't in the upstream docs.

What your server needs to be doing

Before any client works:

  • IMAP/IMAPS on port 993 with TLS, served by Dovecot.
  • SMTP submission on port 587 with STARTTLS, requiring SASL auth (NOT the plain port 25, which is for server-to-server mail).
  • A real TLS certificate for your mail.example.com hostname (Let's Encrypt; see the related certificate article).
  • Account credentials — either your Dovecot virtual user password or whatever auth backend you've wired up.

Verify from another machine:

openssl s_client -connect mail.example.com:993 -servername mail.example.com < /dev/null
openssl s_client -connect mail.example.com:587 -starttls smtp -servername mail.example.com < /dev/null

Both should show the LE-issued cert with the right hostname.

Thunderbird (Linux / macOS / Windows)

"File → New → Existing Mail Account" — Thunderbird's autoconfig usually finds nothing for self-hosted servers, so click "Configure manually" once it gives up.

Field Value
Incoming serverIMAP, mail.example.com, port 993, SSL/TLS, normal password
Outgoing serverSMTP, mail.example.com, port 587, STARTTLS, normal password
UsernameFull email address (alice@example.com), NOT just "alice"

Test "Re-test" and Thunderbird connects + verifies the cert. Save the account.

Common Thunderbird-specific gotchas:

  • "Cannot connect to server" after entering credentials — usually the cert hostname doesn't match. Make sure you connect to mail.example.com (the cert's subject), not the bare IP.
  • Sent mail not showing up in "Sent" folder on the server — Thunderbird's default is to save sent mail locally. Account Settings → Copies & Folders → set "Sent" to your server's Sent folder.
  • Calendar/contacts not syncing — IMAP doesn't carry those. You need a separate CardDAV/CalDAV service (Nextcloud, Radicale, or a managed service).

iOS Mail

Settings → Mail → Accounts → Add Account → Other → Add Mail Account.

  1. Enter Name, Email, Password, Description.
  2. iOS tries to autoconfigure; it'll fail. Tap "Next" anyway.
  3. Select IMAP at the top.
  4. Incoming Mail Server: Host = mail.example.com, Username = alice@example.com, Password = (your password).
  5. Outgoing Mail Server: same hostname, same username/password.
  6. Tap Save. iOS verifies the cert and TLS settings.

iOS gotchas:

  • "Cannot verify server identity" — your cert isn't recognized. If Let's Encrypt-signed, iOS should trust it; this usually means the cert chain is incomplete (server isn't serving the intermediate). Verify with the openssl command above; the chain should show 3 certs (your cert, the LE intermediate, the root).
  • iOS keeps re-prompting for password — usually the wrong SMTP port. iOS Mail tries port 25 first if you don't pin 587 explicitly. Edit Outgoing Mail Server → Server Port = 587.
  • iOS Mail aggressively caches DNS — if you moved your IMAP server's IP recently and the phone can't connect, toggle airplane mode for 30 seconds.

Android (Gmail app)

The Gmail app handles non-Gmail accounts decently. Add account → Other → Personal (IMAP).

Field Value
Usernamealice@example.com
IMAP servermail.example.com, port 993, SSL/TLS
SMTP servermail.example.com, port 587, STARTTLS

K-9 Mail (third-party app) handles IMAP more robustly and is the standard choice for Android users running multiple non-Gmail accounts. FairEmail is another popular option.

SMTP submission auth — the SASL mechanism

By default Dovecot/Postfix accept PLAIN auth over TLS-secured connections. Some clients also try CRAM-MD5 or DIGEST-MD5; modern clients work with PLAIN, and that's what you want over TLS.

Verify Postfix's master.cf has submission enabled:

submission inet n - y - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
    -o milter_macro_daemon_name=ORIGINATING

Restart Postfix after changes.

OAuth2 for inbound — should you bother?

Modern clients increasingly want OAuth2 instead of password auth. Self-hosting an OAuth2 provider for IMAP is a significant project (Keycloak / Authentik + a Dovecot extension); not worth it for personal/small-team use. Password auth over TLS is fine for everything practical.

The certificate trust dance

All three platforms verify the TLS cert. For Let's Encrypt-signed certs (the default if you followed the LE setup article), this works automatically. For self-signed certs:

  • Thunderbird: prompts to add an exception. Click "Confirm Security Exception" once.
  • iOS: under General → About → Certificate Trust Settings, you'd have to install the cert as a trusted profile. Possible but painful. Just use Let's Encrypt.
  • Android: similar. Just use Let's Encrypt.

Self-signed is fine for ssh-tunnel-style access, not for daily mail use across devices.

Also Read

Mail aliases, catch-all addresses, and virtual mailboxes
Sender reputation for a brand-new VPS IP — the warm-up strategy that actually works
Greylisting on a mail server — when it helps, when it hurts
Reading DMARC reports without losing your mind — the XML, the patterns, the action items
DKIM key rotation playbook — rolling keys without breaking inbound mail

« « Back

Powered by WHMCompleteSolution