CRAM-MD5 authentication with Dovecot IMAP
- Sunday October 15th, 2006
I recently migrated my IMAP server from Courier-IMAP to Dovecot. It’s part of a whole simplification process I am engaging in. I cut-over the IMAP server and then last week enabled the Dovecot authentication in Postfix to allow me to stop using a separate SASL daemon for authentication. Now both SMTP and IMAP are authenticated from the one source - Dovecot. But one thing I discovered when setting up Dovecot is that there is very limited documentation on using CRAM-MD5 authentication with Dovecot. As a result I am going to quickly document the process I used to get this up and running. Firstly you need to enable the mechanism and specify a passwd database file in Dovecot. The mechanism and passdb file are specified in the dovecot.conf configuration file, on my system this is located in the /usr/local/etc/ directory. auth default { # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi mechanisms = plain login cram-md5 # passwd-like file with specified location passdb passwd-file { # Path for passwd-file args = /etc/cram-md5.pwd } …. } I’ve added the cram-md5 mechanism to the mechanisms statement and then added a passdb file, /etc/cram-md5.pwd. Next, you need to create this passdb file and set appropriate permissions. # touch /etc/cram-md5.pwd # chmod 0600 /etc /cram-md5.pwd After creating the file you need to add your users and hashed passwords to the passdb file. The users and passwords are added in the format: user:passwordhash Dovecot has a utility that allows you to convert passwords to the appropriate hashes. This utility is called dovecotpw and is installed into the /usr/local/sbin directory or is available in the source package in the src/util directory. You can run dovecotpw like so: # dovecotpw Enter new password: Retype new password: {HMAC- MD5}26b633ec8bf9dd526293c5897400bddeef9299fad _ Enter the user’s password when prompted and it will be converted and outputted as a hash. The default hashed output is in the HMAC-MD5 scheme (which is appropriate for CRAM-MD5). You can change the scheme of the outputted hashes using the _-s command line switch. Now add the generated password to the passdb file, /etc/cram-md5.pwd. kartar:{HMAC-MD5}26b633ec8bf9dd526293c5897400bddeef9299fad Finally, restart Dovecot and test authentication by enabling the appropriate mechanism in your email client. For example, to enable CRAM-MD5 authentication in Thunderbird you need to check the “Use secure authentication” checkbox in the Account Settings page. Obviously I recommend that you use TLS/SSL to encrypt the authentication process as well.
blog comments powered by Disqus
