Checking root's mail remotely

What's the approved way to get root's mail from some other machine on a secure (pfsense box) lan?

My server-of-all-work runs 10.2, and I have it set up with postfix, dovecot, pam, and openssl. Openssl seems to believe that the setup is good, but I can't get the mail client, running under XP, to log in as root. Someone, pam I suppose, complains in
Oct 26 09:03:01 server dovecot: pop3-login: Login: user=<root>, method=PLAIN, rip=, lip=, mpid=30973, TLS, session=<z5ayPsQ/MhDAqAAL>
Oct 26 09:03:01 server dovecot: pop3(root): Error: Invalid settings in userdb: userdb returned 0 as uid
Oct 26 09:03:01 server dovecot: pop3(root): Error: Invalid user settings. Refer to server log for more information.
which I suppose means that it doesn't like me logging in as root.
It's probably easier if you redirect root's mail using /etc/aliases to a regular user account. You can even forward it to an 'external' email address. Just stick something like this at the end of /etc/aliases:
Or to a 'local' user:
root: myuser

Don't forget to run newaliases(8) after you modified /etc/aliases.

Using the root account with POP3/IMAP is, in general, not a good idea, even if the connection is encrypted. And judging by the error messages it looks like it's been disabled.
Thanks, SirD. I should have thought of that myself, since I've been autoforwarding from my isp account for years.

I stumbled across some trickiness, trying to organise the alias. I decided that it should be one I can su root from, but discovered that not only does dovecot not like root logging in remotely, it won't even allow someone from wheel to do so. Then, trying to change /etc/group, I discovered that the only account listed for wheel is root itself. So there are now 2 other accounts that think they're in wheel, but that aren't in /etc/group. Does that seem normal to you? I've never had occasion to dig around in the group file before, so maybe it's okay, but it seems like a bug given what the docs say.
I found, too, that aliasing is a bit fragile, since it got confused when I did a test mail to root@server, apparently not realising that it's a local address despite the hostname
Don't add the @hostname, this will ensure the account is always treated as local.