Child pages
  • HowTo authenticate Apache against dovecot 2.1
Skip to end of metadata
Go to start of metadata

Introduction

Advanced mail server setups often extend a basic setup with web based additional tools like webmailers, sieve editors, vacation message configuration tools, caldav/carddav, and so on. 

Authenticating such web interfaces against a part of the basic setup can really simplify things.

We do so, using the auth-socket of the dovecot POP/IMAP server (version 2.1, using dovecot's upstream packages for debian wheezy).

The following HowTo explains how we actually managed to connect apache with dovecot.

Install mod_auth_external

 

apt-get install libapache2-mod-authnz-external

a2enmod authnz_external

 

Configure VirtualHost (Exampe)

 

# in VirtualHost or global httpd.conf context
DefineExternalAuth dovecotpw pipe /etc/apache2/auth/dovecotpw.sh
 
# in almost any context, i.e. VirtualHost, Location, Directory, ...
AuthType Basic
AuthName authtest
AuthBasicProvider external
AuthExternal dovecotpw
Require valid-user

Create Wrapper-Script

Create /etc/apache2/auth/dovecotpw.sh with this content:

#!/bin/bash
read DCUSER
read DCPASS
/usr/bin/doveadm auth ${DCUSER} ${DCPASS}
# eventually log something
exit $?

Activate Apache changes

 

# apache must be allowed to execute the script. there are several way to accomplish this. one is:
chmod 0755 /etc/apache2/auth/dovecotpw.sh

apache2ctl graceful

 

Provide a Dovecot auth-client socket for Apache

In i.e. /etc/dovecot/local.conf a unix_listener auth-client with wide access rights is required:

 

service auth {
  # [...]
  unix_listener auth-client {
    mode = 0666
    #user = vmail
  }
}

Activate Dovecot change

/etc/init.d/dovecot stop
 
# make sure this is (re)created with the correct access rights. Evtl. Your path may differ
rm /var/run/dovecot/auth-client
 
/etc/init.d/dovecot start

Done!

  • No labels