Authentication Mechanisms
=========================

Plaintext authentication
------------------------

The simplest authentication mechanism is PLAIN. The client simply sends the
password unencrypted to Dovecot. All clients support the PLAIN mechanism, but
obviously there's the problem that anyone listening on the network can steal
the password. For that reason (and some others) other mechanisms were
implemented.

Today however many people use <SSL/TLS> [SSL.txt], and there's no problem with
sending unencrypted password inside SSL secured connections. So if you're using
SSL, you probably don't need to bother worrying about anything else than the
PLAIN mechanism.

Another plaintext mechanism is LOGIN. It's typically used only by SMTP servers
to let Outlook clients perform SMTP authentication.

Non-plaintext authentication
----------------------------

Non-plaintext mechanisms have one major disadvantage: The server must store the
password either in plaintext or using a special<scheme>
[Authentication.PasswordSchemes.txt]. This makes it impossible to use them with
commonly used DES or MD5 crypted passwords. Also the special password schemes
are all incompatible with other non-plaintext mechanisms.

Dovecot supports the following non-plaintext mechanisms:

 * CRAM-MD5: Protects the password in transit against eavesdroppers. Somewhat
   good support in clients.
 * <DIGEST-MD5> [Authentication.Mechanisms.DigestMD5.txt]: Somewhat stronger
   cryptographically than CRAM-MD5, but clients rarely support it.
 * APOP: This is a POP3-specific authentication. Similiar to CRAM-MD5, but
   requires storing password in plaintext.
 * NTLM: Mechanism created by Microsoft and supported by their clients.
    * Optionally supported <using Samba's winbind>
      [Authentication.Mechanisms.Winbind.txt].
 * <GSS-SPNEGO> [Authentication.Mechanisms.Winbind.txt]: Similar to NTLM.
 * <GSSAPI> [Authentication.Kerberos.txt]: Kerberos v5 support.
 * RPA: Compuserve RPA authentication mechanism. Similar to DIGEST-MD5, but
   client support is rare.
 * ANONYMOUS: Support for logging in anonymously. This may be useful if you're
   intending to provide publically accessible IMAP archive.
 * OTP and SKEY: One time password mechanisms. Supported only by Dovecot v1.1
   and later.

Configuration
-------------

By default only PLAIN mechanism is enabled. You can change this by modifying
'dovecot.conf':

---%<-------------------------------------------------------------------------
auth default {
  mechanisms = plain login cram-md5
  # ..
}
---%<-------------------------------------------------------------------------

(This file was created from the wiki on 2007-10-31 04:42)
