I prefer not to use clear text passwords, even over an encrypted connection. With IMAP, the only such mechanism with widespread client support is CRAM-MD5 (please correct my if I'm wrong... I'd love to be corrected here...).
On the dovecot 2 wiki, the only way I've found to implement CRAM-MD5 support, is to use a passwd-like file: http://wiki2.dovecot.org/HowTo/CRAM-MD5
I am running a small IMAP server used by my family.
As long as I was the single user on the IMAPd, manually managing the passwd file as doable (if a bit cumbersome).
With 2-5 users, I'm looking for a more elegant solution.
Does anyone have a similar situation, and a solution they would like to share (config/HOWTO)?
Here are the possibilities that comes to mind:
- Create a web interface to change the password (does anyone know of a ready-made solution for this that they could recommend?)
- Convince PAM to update the dovecot HMAC-MD5 password file as well as the regular system password file (my dovecot runs on a debian stable "wheezy" system. In theory this should be possible, but it is very hard to find documentation on what PAM modules exist, and how to write a new one, and if it is possible to chain modules in PAM, ie. use one module to update-this-passwd-file and then use a different module to update a different passwd file)
- Use LDAP, which I think can also support CRAM-MD5 when using password lookups http://wiki2.dovecot.org/AuthDatabase/LDAP/PasswordLookups (learning how to set up LDAP is something I have avoided for years, because it looks awfully complex and time consuming)
I haven't looked into using databases, SQL, or key-value store, because they seem like a more cumbersome way to do the same thing as passwd files.
But I am aware that this assumption could be wrong. It could e.g. be easier to make the web interface idea work with a database manager, than messing around with setuid bits to safely update a passwd file owned and touchable only by the dovecot user.
Thanks for any and all responses!
- Steinar