This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.

Password Databases

Dovecot authenticates users against password databases. It can also be used to configure things like proxies.

You can use multiple databases, so if the password doesn't match in the first database, Dovecot checks the next one. This can be useful if you want to easily support having both virtual users and also local system users (see Authentication/MultipleDatabases).

Success/failure databases

These databases simply verify if the given password is correct for the user. Dovecot doesn't get the correct password from the database, it only gets a "success" or a "failure" reply. This means that these databases can't be used with non-plaintext authentication mechanisms.

Databases that belong to this category are:

Lookup databases

Dovecot does a lookup based on the username and possibly other information (e.g. IP address) and verifies the password validity itself. Fields that the lookup can return:

Databases that support looking up only passwords, but no user or extra fields:

Databases that support looking up everything:

Passdb settings

An example passdb passwd-file with its default settings:

passdb {
  driver = passwd-file
  args = scheme=ssha256 /usr/local/etc/passwd.replica
  default_fields =
  override_fields =

  deny = no
  master = no
  pass = no
  skip = never
  mechanisms =
  username_filter =

  result_failure = continue
  result_internalfail = continue
  result_success = return-ok

  # v2.2.24+
  auth_verbose = default

First we have the settings that provide content for the passdb lookup:

Then we have the settings which specify when the passdb is used:

And finally we can control what happens when we're finished with this passdb:

The result values that can be used:

PasswordDatabase (last edited 2017-05-24 14:07:24 by TimoSirainen)