

Authentication Mechanisms
=========================




Plaintext authentication
========================


The simplest authentication mechanism is PLAIN. The client simply sends the password unencrypted to Dovecot. All clients support the PLAIN mechanism, but obviously there's the problem that anyone listening on the network can steal the password. For that reason (and some others) other mechanisms were implemented. 
Today however many people use >>SSL/TLS<<, and there's no problem with sending unencrypted password inside SSL secured connections. So if you're using SSL, you probably don't need to bother worrying about anything else than the PLAIN mechanism. 
Another plaintext mechanism is LOGIN. It's typically used only by SMTP servers to let Outlook clients perform SMTP authentication. 


Non-plaintext authentication
============================


Non-plaintext mechanisms have one major disadvantage: The server must store the password either in plaintext or using a special >>scheme<<. This makes it impossible to use them with commonly used DES or MD5 crypted passwords. Also the special password schemes are all incompatible with other non-plaintext mechanisms. 
Dovecot supports the following non-plaintext mechanisms: 

 * CRAM-MD5: Protects the password in transit against eavesdroppers. Somewhat good support in clients. 
 * >>DIGEST-MD5<<: Somewhat stronger cryptographically than CRAM-MD5, but clients rarely support it. 
 * APOP: This is a POP3-specific authentication. Similiar to CRAM-MD5, but requires storing password in plaintext. 
 * NTLM: Mechanism created by Microsoft and supported by their clients. 

 * Optionally supported >>using Samba's winbind<<. 

 * >>GSS-SPNEGO<<: Similar to NTLM. 
 * >>GSSAPI<<: Kerberos v5 support. 
 * RPA: Compuserve RPA authentication mechanism. Similar to DIGEST-MD5, but client support is rare. 
 * ANONYMOUS: Support for logging in anonymously. This may be useful if you're intending to provide publically accessible IMAP archive. 
 * OTP and SKEY: One time password mechanisms. Supported only by Dovecot v1.1 and later. 


Configuration
=============


By default only PLAIN mechanism is enabled. You can change this by modifying 'dovecot.conf': 

---%<-------------------------------------------------------------------------
auth default {
  mechanisms = plain login cram-md5
  # ..
}
---%<-------------------------------------------------------------------------

(This file was created from the wiki on 2007-12-11 04:42)
