This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.

Debugging Authentication

Numerous settings in dovecot.conf can assist in debugging authentication failures. These are described in the comments in the dovecot-example.conf file that is provided with the source distribution.

In addition, it might be useful to know how to construct and to decode a PLAIN mechanism string. printf(1) and mmencode(1) should be available on most Unix or GNU/Linux systems. (If not, check with your distribution. GNU coreutils includes printf(1), and metamail includes mmencode(1). In Debian, mmencode is called mimeencode(1).)

Example authentication string encoding

$ printf 'username\0username\0password' | mmencode
dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=

This string is what a client would use to attempt PLAIN authentication as user "username" with password "password." With verbose logging, specifically with auth_debug_passwords = yes, it would appear in your logs.

Alternate Approach with perl

Unfortunately, mmencode on FreeBSD chokes on "\0". As an alternate, if you have MIME::Base64 on your system, you can use a perl statement to do the same thing:

perl -MMIME::Base64 -e 'print encode_base64("myusername\@domain.tld\0myusername\@domain.tld\0mypassword");'

As mmencode -u doesn't encounter any "\0" you can also do:

perl -MMIME::Base64 -e 'print encode_base64("myusername\@domain.tld\0myusername\@domain.tld\0mypassword");' | mmencode -u

to check that you have encoded correctly.

Example authentication string decoding

You can use mmencode -u to interpret the encoded string pasted into stdin as follows:

# mmencode -u
bXl1c2VybmFtZUBkb21haW4udGxkAG15dXNlcm5hbWVAZG9tYWluLnRsZABteXBhc3N3b3Jk<CR>
myusername@domain.tldmyusername@domain.tldmypassword<CTRL-D>
#

You should see the correct user address (twice) and password. The null bytes won't display.