This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 15 and 16
Revision 15 as of 2009-01-06 18:38:11
Size: 3094
Editor: DMOCK0
Comment:
Revision 16 as of 2009-03-15 22:35:10
Size: 3103
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
Today however many people use [:SSL:SSL/TLS], and there's no problem with sending unencrypted password inside SSL secured connections. So if you're using SSL, you probably don't need to bother worrying about anything else than the PLAIN mechanism. Today however many people use [[SSL|SSL/TLS]], and there's no problem with sending unencrypted password inside SSL secured connections. So if you're using SSL, you probably don't need to bother worrying about anything else than the PLAIN mechanism.
Line 10: Line 10:
Non-plaintext mechanisms have been designed to be safe to use even without [:SSL:SSL/TLS] encryption. Because of how they have been designed, they require access to the plaintext password or their own special hashed version of it. This means that it's impossible to use non-plaintext mechanisms with commonly used DES or MD5 password hashes. Non-plaintext mechanisms have been designed to be safe to use even without [[SSL|SSL/TLS]] encryption. Because of how they have been designed, they require access to the plaintext password or their own special hashed version of it. This means that it's impossible to use non-plaintext mechanisms with commonly used DES or MD5 password hashes.
Line 12: Line 12:
If you want to use more than one non-plaintext mechanism, the passwords must be stored as plaintext so that Dovecot is able to generate the required special hashes for all the different mechanisms. If you want to use only one non-plaintext mechanism, you can store the passwords using the mechanism's own [:Authentication/PasswordSchemes:password scheme]. If you want to use more than one non-plaintext mechanism, the passwords must be stored as plaintext so that Dovecot is able to generate the required special hashes for all the different mechanisms. If you want to use only one non-plaintext mechanism, you can store the passwords using the mechanism's own [[Authentication/PasswordSchemes|password scheme]].
Line 14: Line 14:
With [:PasswordDatabase:success/failure password databases] (e.g. PAM) it's not possible to use non-plaintext mechanisms at all, because they only support verifying a known plaintext password. With [[PasswordDatabase|success/failure password databases]] (e.g. PAM) it's not possible to use non-plaintext mechanisms at all, because they only support verifying a known plaintext password.
Line 19: Line 19:
 * [:Authentication/Mechanisms/DigestMD5:DIGEST-MD5]: Somewhat stronger cryptographically than CRAM-MD5, but clients rarely support it.  * [[Authentication/Mechanisms/DigestMD5|DIGEST-MD5]]: Somewhat stronger cryptographically than CRAM-MD5, but clients rarely support it.
Line 21: Line 21:
 * [:Authentication/Mechanisms/NTLM:NTLM]: Mechanism created by Microsoft and supported by their clients.
  * Optionally supported [:Authentication/Mechanisms/Winbind:using Samba's winbind].
 * [:Authentication/Mechanisms/Winbind:GSS-SPNEGO]: Similar to NTLM.
 * [:Authentication/Kerberos:GSSAPI]: Kerberos v5 support.
 * [[Authentication/Mechanisms/NTLM|NTLM]]: Mechanism created by Microsoft and supported by their clients.
  * Optionally supported [[Authentication/Mechanisms/Winbind|using Samba's winbind]].
 * [[Authentication/Mechanisms/Winbind|GSS-SPNEGO]]: Similar to NTLM.
 * [[Authentication/Kerberos|GSSAPI]]: Kerberos v5 support.

Authentication Mechanisms

Plaintext authentication

The simplest authentication mechanism is PLAIN. The client simply sends the password unencrypted to Dovecot. All clients support the PLAIN mechanism, but obviously there's the problem that anyone listening on the network can steal the password. For that reason (and some others) other mechanisms were implemented.

Today however many people use SSL/TLS, and there's no problem with sending unencrypted password inside SSL secured connections. So if you're using SSL, you probably don't need to bother worrying about anything else than the PLAIN mechanism.

Another plaintext mechanism is LOGIN. It's typically used only by SMTP servers to let Outlook clients perform SMTP authentication. Note that LOGIN mechanism is not the same as IMAP's LOGIN command. The LOGIN command is internally handled using PLAIN mechanism.

Non-plaintext authentication

Non-plaintext mechanisms have been designed to be safe to use even without SSL/TLS encryption. Because of how they have been designed, they require access to the plaintext password or their own special hashed version of it. This means that it's impossible to use non-plaintext mechanisms with commonly used DES or MD5 password hashes.

If you want to use more than one non-plaintext mechanism, the passwords must be stored as plaintext so that Dovecot is able to generate the required special hashes for all the different mechanisms. If you want to use only one non-plaintext mechanism, you can store the passwords using the mechanism's own password scheme.

With success/failure password databases (e.g. PAM) it's not possible to use non-plaintext mechanisms at all, because they only support verifying a known plaintext password.

Dovecot supports the following non-plaintext mechanisms:

  • CRAM-MD5: Protects the password in transit against eavesdroppers. Somewhat good support in clients.
  • DIGEST-MD5: Somewhat stronger cryptographically than CRAM-MD5, but clients rarely support it.

  • APOP: This is a POP3-specific authentication. Similiar to CRAM-MD5, but requires storing password in plaintext.
  • NTLM: Mechanism created by Microsoft and supported by their clients.

  • GSS-SPNEGO: Similar to NTLM.

  • GSSAPI: Kerberos v5 support.

  • RPA: Compuserve RPA authentication mechanism. Similar to DIGEST-MD5, but client support is rare.
  • ANONYMOUS: Support for logging in anonymously. This may be useful if you're intending to provide publically accessible IMAP archive.
  • OTP and SKEY: One time password mechanisms. Supported only by Dovecot v1.1 and later.

Configuration

By default only PLAIN mechanism is enabled. You can change this by modifying dovecot.conf:

auth default {
  mechanisms = plain login cram-md5
  # ..
}

None: Authentication/Mechanisms (last edited 2019-09-12 08:29:14 by MichaelSlusarz)