This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.


Pluggable Authentication Modules. This is the most common way to authenticate system users nowadays. PAM isn't itself a password database, but rather its configuration tells how exactly to do the authentication. Usually this means using module which authenticates user from system's shadow password file.

Because PAM isn't an actual database, only with plaintext authentication mechanisms can be used with PAM. PAM can't be used as user database either. Usually PAM is used with passwd or static userdbs.

The PAM configuration is usually in /etc/pam.d/ directory. By default Dovecot uses dovecot PAM service name, so the configuration is read from /etc/pam.d/dovecot file. You can change this by appending the wanted service name after auth_passdb = pam, eg. auth_passdb = pam imap would use /etc/pam.d/imap. You can also set the service to * in which case Dovecot automatically uses either imap or pop3 service depending on which one user is using to login.

By giving session=yes parameter you can make Dovecot open a PAM session and close it immediately. Some PAM plugins, such as pam_mkhomedir, need this. With this parameter /etc/dovecot.conf might look something like this:

passdb pam { 
  args = session=yes *

Dovecot should work with Linux PAM, Solaris PAM, OpenPAM (FreeBSD) and ApplePAM (Mac OS X).

Here's an example /etc/pam.d/dovecot configuration file which uses standard UNIX authentication:

auth    required nullok
account required

On Mac OS X, the /etc/pam.d/dovecot file should look like this:

auth       required
auth       sufficient
auth       sufficient
auth       required
account    required
password   required
session    required