This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.

PAM - Pluggable Authentication Modules

This is the most common way to authenticate system users nowadays. PAM is not itself a password database, but rather its configuration tells the system how exactly to do the authentication. Usually this means using the module which authenticates user from the system's shadow password file.

Because PAM is not an actual database, only plaintext authentication mechanisms can be used with PAM. PAM cannot be used as user database either. Usually PAM is used with passwd or static user databases or NSS (Name Service Switch).

The PAM configuration is usually in the /etc/pam.d/ directory (older systems may use a single file, /etc/pam.conf). By default Dovecot uses dovecot for the PAM service name, so the configuration is read from /etc/pam.d/dovecot. You can change this by appending the desired service name after auth_passdb = pam, e. g. auth_passdb = pam imap would use /etc/pam.d/imap. You can also set the service to * in which case Dovecot automatically uses either imap or pop3 service, depending on the actual service the user is logging in to.

By giving a session=yes parameter, you can make Dovecot open a PAM session and close it immediately. Some PAM plugins need this, for instance pam_mkhomedir. With this parameter, /etc/dovecot.conf might look something like this:

passdb pam {
  args = session=yes *

Dovecot should work with Linux PAM, Solaris PAM, OpenPAM (FreeBSD) and ApplePAM (Mac OS X).

Here is an example /etc/pam.d/dovecot configuration file which uses standard UNIX authentication:

auth    required nullok
account required 

For Solaris you will have to edit /etc/pam.conf. Here is a working Solaris example:

imap    auth    required
imap    account required
imap    session required 

On Mac OS X, the /etc/pam.d/dovecot file should look like this:

auth       required
auth       sufficient
auth       sufficient
auth       required
account    required
password   required
session    required