[Dovecot] Looking for a good way to manage passwords for CRAM-MD5

Steinar Bang sb at dod.no
Sun May 12 14:17:21 EEST 2013


I prefer not to use clear text passwords, even over an encrypted
connection.  With IMAP, the only such mechanism with widespread client
support is CRAM-MD5 (please correct my if I'm wrong... I'd love to be
corrected here...).

On the dovecot 2 wiki, the only way I've found to implement CRAM-MD5
support, is to use a passwd-like file:
 http://wiki2.dovecot.org/HowTo/CRAM-MD5

I am running a small IMAP server used by my family.

As long as I was the single user on the IMAPd, manually managing the
passwd file as doable (if a bit cumbersome).

With 2-5 users, I'm looking for a more elegant solution.

Does anyone have a similar situation, and a solution they would like to
share (config/HOWTO)?

Here are the possibilities that comes to mind:
 1. Create a web interface to change the password (does anyone know of a
    ready-made solution for this that they could recommend?)
 2. Convince PAM to update the dovecot HMAC-MD5 password file as well as
    the regular system password file (my dovecot runs on a debian stable
    "wheezy" system.  In theory this should be possible, but it is very
    hard to find documentation on what PAM modules exist, and how to
    write a new one, and if it is possible to chain modules in PAM,
    ie. use one module to update-this-passwd-file and then use a
    different module to update a different passwd file)
 3. Use LDAP, which I think can also support CRAM-MD5 when using
    password lookups
     http://wiki2.dovecot.org/AuthDatabase/LDAP/PasswordLookups
    (learning how to set up LDAP is something I have avoided for years,
    because it looks awfully complex and time consuming)

I haven't looked into using databases, SQL, or key-value store, because
they seem like a more cumbersome way to do the same thing as passwd
files. 

But I am aware that this assumption could be wrong.  It could e.g. be
easier to make the web interface idea work with a database manager, than
messing around with setuid bits to safely update a passwd file owned and
touchable only by the dovecot user.

Thanks for any and all responses!


- Steinar



More information about the dovecot mailing list