Authentication¶
Authentication is split into four parts:
See also authentication penalty handling for IP addresses. See also authentication policy support for making policy based decisions.
Authentication mechanisms vs. password schemes¶
Authentication mechanisms and password schemes are often confused, because they have somewhat similar values. For example there is a PLAIN auth mechanism and PLAIN password scheme. But they mean completely different things.
Authentication mechanism is a client/server protocol. It’s about how the client and server talk to each others in order to perform the authentication. Most people use only PLAIN authentication, which basically means that the user and password are sent without any kind of encryption to the server. SSL/TLS can then be used to provide the encryption to make PLAIN authentication secure.
Password scheme is about how the password is hashed in your password database. If you use a PLAIN scheme, your passwords are stored in cleartext without any hashing in the password database. A popular password scheme MD5-CRYPT (also commonly used in
/etc/shadow) where passwords looks like$1$oDMXOrCA$plmv4yuMdGhL9xekM.q.I/.Plaintext authentication mechanisms work with ALL password schemes.
Non-plaintext authentication mechanisms require either PLAIN password scheme or a mechanism-specific password scheme.
Authentication in Proxies and Directors¶
Note
Proxy or Director already verifies the authentication (in the reference Dovecot architecture; password has been switched to a master password at this point), so we don’t really need to do it again. We could, in fact, even avoid the password checking entirely, but for extra security it’s still done in this document.
auth_mechanisms = plain loginEnables the PLAIN and LOGIN authentication mechanisms. The LOGIN
mechanism is obsolete, but still used by old Outlooks and some Microsoft
phones.
service anvil {
unix_listener anvil-auth-penalty {
mode = 0
}
}
Disable authentication penalty. Proxy or Director already handled this.
auth_cache_size = 100MSpecifies the amount of memory used for authentication caching (passdb and userdb lookups).
login_trusted_networks = 10.0.0.0/24Space-separated list of IP/network ranges that contain the Dovecot Directors. This setting allows Directors to forward the client’s original IP address and session ID to the Backends.
mail_max_userip_connections = 10Maximum number of simultaneous IMAP4 or POP3 connections allowed for
the same user from the same IP address (10 = 10 IMAP + 10 POP3)
ssl= nodisable_plaintext_auth= no
Proxy or Director already decrypted the SSL connections. The Backends
will always see only plaintext connections.
- allow_nets extra field
- Authentication penalty support
- Authentication policy support
- Password hash algorithm
- Request attributes
- Response
- Mode of operation
- External Auth Policy Servers
- Auth Settings
- Authentication (SASL) Mechanisms
- Authentication via remote IMAP server
- BSDAuth
- Caching of authentication results
- CheckPassword
- Key-value authentication (dict) database
- Digest-MD5
- Domain (%d) is empty
- Login referrals
- Kerberos authentication
- LDAP
- LDAP Authentication
- LDAP Backend Configuration
- Passdb LDAP with authentication binds
- Passdb LDAP with password lookups
- LDAP Settings for auth
- Common LDAP Settings for both auth and sieve
- LDAP user database
- Lua based authentication
- Master users/passwords
- Multiple Authentication Databases
- Nodelay extra field
- Nologin extra field
- NSS
- Open Authentication v2.0 database
- PAM
- Passwd
- Passwd-file
- Password database extra fields
- Password databases (passdb)
- Password Schemes
- Prefetch User Database
- Proxy PasswordDatabase
- Restricting IMAP/POP3 access
- Shadow
- SQL
- Static Password Database
- Static User Database
- User database extra fields
- User Databases (userdb)
- User extra field
- Winbind mechanisms
