Chapter 37 - The dovecot authenticator
This authenticator is an interface to the authentication facility of the Dovecot 2 POP/IMAP server, which can support a number of authentication methods. Note that Dovecot must be configured to use auth-client not auth-userdb. If you are using Dovecot to authenticate POP/IMAP clients, it might be helpful to use the same mechanisms for SMTP authentication. This is a server authenticator only. There is only one non-generic option:
| server_socket | Use: dovecot | Type: string | Default: unset |
This option must specify the UNIX socket that is the interface to Dovecot authentication. The public_name option must specify an authentication mechanism that Dovecot is configured to support. You can have several authenticators for different mechanisms. For example:
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_advertise_condition = ${if def:tls_in_cipher}
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
dovecot_ntlm:
driver = dovecot
public_name = NTLM
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
Note: plaintext authentication methods such as PLAIN and LOGIN should not be advertised on cleartext SMTP connections. See the discussion in section 34.1.
If the SMTP connection is encrypted, or if $sender_host_address is equal to $received_ip_address (that is, the connection is local), the “secured” option is passed in the Dovecot authentication command. If, for a TLS connection, a client certificate has been verified, the “valid-client-cert” option is passed. When authentication succeeds, the identity of the user who authenticated is placed in $auth1.
The Dovecot configuration to match the above will look something like:
conf.d/10-master.conf :-
service auth {
...
#SASL
unix_listener auth-client {
mode = 0660
user = mail
}
...
}
conf.d/10-auth.conf :-
auth_mechanisms = plain login ntlm
