auth.txt revision 6c07b8ddc5e894feead4d422075b079451721241
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenAuthentication is split into three parts: authentication mechanism,
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenpassword database and user database.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
345648b341f228bd7f0b89f8aa3ecb9c470d817eTimo SirainenCurrently supported authentication mechanisms:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - PLAIN: By itself it's very insecure, but through secured SSL/TLS
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen connection it should be fine.
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen - DIGEST-MD5: Should be quite secure by itself. It also supports
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen integrity protecting and crypting the rest of the communication, but
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen we don't support those yet.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - CRAM-MD5: Protects the secret in transit from eavesdroppers. Doesn't
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen provide any integrity guarantees.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - ANONYMOUS: No authentication required. User will be logged in as the user
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen specified by auth_anonymous_username setting (default "anonymous"). There's
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen no special restrictions given for anonymous users so you have to make sure
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen it doesn't have access to unwanted locations.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenCurrently supported password databases:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
20caa6854f0ba83719248a94464a7a24bb7dbd20Timo Sirainen - passwd: /etc/passwd or similiar, using getpwnam()
b7c2065b3f10f9ae27787a9db5aaefbfc70d4502Timo Sirainen - shadow: /etc/shadow or similiar, using getspnam()
1c38a95332f1945c9806d7d83175a0d948f51291Timo Sirainen - pam: Pluggable Authentication Modules
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - passwd-file: /etc/passwd-like file in specified location
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - ldap: Lightweight Directory Access Protocol
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - vpopmail: External software used to handle virtual domains
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen - pgsql: A PostgreSQL database.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenCurrently supported user databases:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - passwd: /etc/passwd or similiar, using getpwnam()
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - passwd-file: /etc/passwd-like file in specified location
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - ldap: Lightweight Directory Access Protocol
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - vpopmail: External software used to handle virtual domains
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - static: Static UID and GID, home directory from given template
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - pgsql: A PostgreSQL database.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenMost password databases support only plaintext authentication. passwd-file
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenand LDAP exceptions since they support multiple password schemes.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenPassword schemes supporting only plaintext authentication:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - CRYPT: Use crypt(). Usually DES, but some systems support others too
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen (eg. MD5 and SHA1)
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - MD5: MD5crypt algorithm, sometimes used in /etc/passwd and likes
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - PLAIN-MD5: Simple MD5 sum of password. Used by libpam-pwdfile
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenPassword schemes supporting plaintext authentication and more:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - PLAIN: Although not that good idea, it enables support for all current
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen and future authentication mechanisms.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - HMAC-MD5: HMAC-MD5 context of password, for the CRAM-MD5 mechanism.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - DIGEST-MD5: MD5 sum of "user:realm:password", as required by DIGEST-MD5
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen mechanism.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenRealms (or virtual domains) are supported by appending the "@realm" after
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenthe user name. This behaviour works with all authentication mechanisms and
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainendatabases.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenHome directory can be prefixed with "<chroot>/./" in which case <chroot>
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainendirectory will be chrooted into. The actual home directory follows the
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen"/./". For example "/chroot/./home/user".
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenpasswd
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen------
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenMost commonly used as user database. Many systems use shadow passwords
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainennowadays so it doesn't usually work as password database. BSDs are an
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenexception to this, they still set the password field even with shadow
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenpasswords.
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenshadow
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen------
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenWorks at least with Linux and Solaris.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenPAM
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen---
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenWe should work with Linux PAM, Solaris PAM, OpenPAM (FreeBSD) and
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenApplePAM (OSX). PAM doesn't provide user database, so you have to use
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainensomething else for that - passwd usually.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenBy default Dovecot uses "dovecot" service, ie. the PAM configuration is in
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen/etc/pam.d/dovecot file. You can override this by giving the wanted service
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenname as parameter for pam. For example "auth_passdb = pam dovecot2". If you
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainengive "*" as service name, Dovecot uses "imap" service for IMAP connections
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenand "pop3" service for POP3 connections.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenHere's an example /etc/pam.d/dovecot configuration file which uses standard
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenUNIX authentication:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenauth required pam_unix.so nullok
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenaccount required pam_unix.so
345648b341f228bd7f0b89f8aa3ecb9c470d817eTimo Sirainen
f53b8258e5f68ab3d431b1c97520efa0200d134bTimo Sirainen
f53b8258e5f68ab3d431b1c97520efa0200d134bTimo Sirainenpasswd-file
7d6389e4053c2dac1fb37180b5756b00785983dcTimo Sirainen-----------
f53b8258e5f68ab3d431b1c97520efa0200d134bTimo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenThis is compatible with regular /etc/passwd, and a password file used by
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenlibpam-pwdfile. It's in the following format:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenuser:password:uid:gid:(gecos):home:(shell):flags:mail
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo SirainenFor password database, it's enough to have only user and password fields.
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo SirainenFor user database, you need to set also uid, gid and either home or mail.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenFlags is a comma-separated list of flags, currently only recognized value
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenis "chroot", which makes the imap process chroot into home directory, if
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenallowed by master process.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenThe password field can be in three formats:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - password: Assume CRYPT scheme
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen - password[type]: libpam-passwd file compatible format. Type is one of:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen 13: CRYPT scheme
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen 34: MD5 scheme
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen 56: DIGEST-MD5 scheme (Dovecot extension, deprecated)
345648b341f228bd7f0b89f8aa3ecb9c470d817eTimo Sirainen - {SCHEME}password
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
bbef8d37812f877525ca57e7ed206094e1efe288Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenLDAP
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen----
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
bbef8d37812f877525ca57e7ed206094e1efe288Timo SirainenSee dovecot-ldap.conf for more information. Password and user databases may
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenuse different configuration files to keep the information in separate
bbef8d37812f877525ca57e7ed206094e1efe288Timo Sirainenlocations. If both refer to same file, they share the same LDAP connection.
bbef8d37812f877525ca57e7ed206094e1efe288Timo Sirainen
bbef8d37812f877525ca57e7ed206094e1efe288Timo Sirainen
bbef8d37812f877525ca57e7ed206094e1efe288Timo Sirainenvpopmail
68d76bc6de2d923d03955e49d563d6e4629b86bfTimo Sirainen--------
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenThis is an external software intended to make handling virtual domains
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Siraineneasier. Supports Qmail and Postfix. See http://inter7.com/vpopmail.html
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenstatic
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen------
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenstatic uid=<uid> gid=<gid> home=<dir template>
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo SirainenAll users share the same UID and GID. Home directory template can use %u,
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen%n and %d variables, see default_mail_env description in dovecot-example.conf.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenPostgreSQL
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen----------
cd466fe7b84b0223735a6469c7f7bc225f65996dTimo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenSee dovecot-pgsql.conf for more information. Password and user databases may
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenuse different configuration files to keep the information in separate
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenlocations. If both refer to same file, they share the same PostgreSQL
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenconnection.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenGenerating passwords
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen--------------------
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenDES:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen mkpasswd
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen perl -e 'printf "%s\n", crypt("pass", "two-letter-salt")'
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo SirainenMD5:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen mkpasswd --hash=md5
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen perl -e 'printf "%s\n", crypt("pass", "\$1\$6-8-letter-salt\$")'
ffa179f76a2b6f4ef97bd560f65fa9e3e35361b4Timo Sirainen
ffa179f76a2b6f4ef97bd560f65fa9e3e35361b4Timo SirainenPLAIN-MD5:
22535a9e685e29214082878e37a267157044618eTimo Sirainen perl -MDigest::MD5 -e 'printf "{PLAIN-MD5}%s\n", Digest::MD5::md5_hex("pass")'
2a90d8a14b0e7cc1508814bc87d3dfa598ef46a8Timo Sirainen
22535a9e685e29214082878e37a267157044618eTimo SirainenDIGEST-MD5:
22535a9e685e29214082878e37a267157044618eTimo Sirainen perl -MDigest::MD5 -e 'printf "{DIGEST-MD5}%s\n", Digest::MD5::md5_hex("user:realm:pass")'
22535a9e685e29214082878e37a267157044618eTimo Sirainen