Exim Internet Mailer

<-previousnext->

Chapter 37 - The dovecot authenticator

This authenticator is an interface to the authentication facility of the Dovecot 2 POP/IMAP server, which can support a number of authentication methods. Note that Dovecot must be configured to use auth-client not auth-userdb. If you are using Dovecot to authenticate POP/IMAP clients, it might be helpful to use the same mechanisms for SMTP authentication. This is a server authenticator only. There is only one non-generic option:

server_socket Use: dovecot Type: string Default: unset

This option must specify the UNIX socket that is the interface to Dovecot authentication. The public_name option must specify an authentication mechanism that Dovecot is configured to support. You can have several authenticators for different mechanisms. For example:

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_advertise_condition = ${if def:tls_in_cipher}
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

dovecot_ntlm:
  driver = dovecot
  public_name = NTLM
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

Note: plaintext authentication methods such as PLAIN and LOGIN should not be advertised on cleartext SMTP connections. See the discussion in section 34.1.

If the SMTP connection is encrypted, or if $sender_host_address is equal to $received_ip_address (that is, the connection is local), the “secured” option is passed in the Dovecot authentication command. If, for a TLS connection, a client certificate has been verified, the “valid-client-cert” option is passed. When authentication succeeds, the identity of the user who authenticated is placed in $auth1.

The Dovecot configuration to match the above will look something like:

conf.d/10-master.conf :-

service auth {
...
#SASL
  unix_listener auth-client {
    mode = 0660
    user = mail
  }
...
}

conf.d/10-auth.conf :-

auth_mechanisms = plain login ntlm

<-previousTable of Contentsnext->