Authenticating with checkpassword

Mark Foley mfoley at
Thu Feb 21 18:50:07 EET 2019

I am trying to use the checkpassword authentication (
I do have a working checkpassword program. The protocol expects to received on fd 3 the


I find that this works properly and the program can authenticate if the client is using PLAIN
LOGIN.  Both username and password are sent on fd3.  But, if the client has specified
kerberos/gssapi authentication then only the username is passed to checkpassword.  The
following is a debug dump from checkpassword showing the input read on fd 3 (12 bytes):

len 12: 636861726d61696e65000000 charmaine...
User: [charmaine], PW: []

Without a password, checkpassword returns failure. 

I am running dovecot in a Samba4 Active Directory.  I have some email clients that use
kerberos/GSSAPI (Thunderbird) and some that can only use PLAIN LOGIN (Outlook).  All users,
however, are active directory domain users and all could potentially authenticate with AD

I was hoping to use checkpassword for this. Otherwise, every user who cannot authenticate via
kerberos/GSSAPI has to also be in the mail server's /etc/passwd file with the same ID/PW as 
their AD credentials, which become a bit of a pain when the user changes his domain password.

Why does not dovecot pass to checkpassword the user's password? When I tried this a few years
ago I thought it did.

If checkpassword fails, why does it not then try the kerberos/GSSAPI mechanism?

Is there a solution to this? 

THX --Mark

More information about the dovecot mailing list