How to make dovecot not ask passwords from localhost?

dovecot pam

I have set up dovecot server and I'm currently using offline imap to sync my gmail to the dovecot imap running on the localhost.

Currently I'm using plain text authentication, but this results in every single mail client to ask & remember my user name password just to access mail from localhost.

Is there a way to set up dovecot such that it will not ask me for authentication when I'm trying to log in to it from gnus from localhost for example? Or make it ask pam/gnomekeyring/anything to not ask me?

ps. there are no plans to allow accessing dovecot server not from localhost. Not even from local network.


Solution 1:

Three options come to my mind:

  • First, if you are on the same machine, you could just use the underlying mail store directly, without going thru IMAP. Depending on the store and client used, this may result in some troubles reflecting changes back to IMAP, though.

  • Second, use Dovecot's mechanism for pre-authenticated sessions, together with an inetd or ucspi-tcp's tcpserver if you need to listen on a TCP port for you client of choice.

  • Finally, you could setup Kerberos ticket authentication and use that with Dovecot via GSSAPI. But that's probably overkill for your scenario.

Solution 2:

The comment from @grawity on the other answer, although now outdated, led me to the solution I needed. It deserves an answer of its own. This answer to a closely related question provided the missing link.

Pre-authenticated sessions can be obtained by piping through a Dovecot command. Recent (>= 2.0) versions of Dovecot provide the imap command, which on Debian and Ubuntu is located at /usr/lib/dovecot/imap. On older versions you'd instead run dovecot --exec-mail imap (located in /usr/sbin).

For my mutt, the required .muttrc setting would thus be

tunnel=/usr/lib/dovecot/imap

Solution 3:

Nowadays (2.2.32+) Dovecot allows you to create a passdb definiteion, that has the options allow_real_nets=127.0.0.1/32 and nopassword in the override_fields setting. This will allow any password, but only from the specified subnet (IE localhost). You can still use your normal passdb definition to ensure the mailbox correctly exists, but use override_fields or similar to set these two options to restrict it.

Related

postgresql - Approach for 'live'/hot file backup?
Apache security - list all possible handlers / actions
VMware NAS/iSCSI recommendations - smallish organization
Secure Exchange mailboxes
Linux IPv6 loopback routes getting automatically added
Best practices for hardening/locking down Windows Server 2008 R2 for use as web server?
When HDD wakes up?
Postfix: Set custom SMTP Banner based on address used to access server
Can ping between Host and Guest, but can't acces webserver with Virtualbox
how to disable user logoff from remote desktop
How to unassign self-signed cert from SMTP on Exchange 2010?
HTTPS works, HTTP does not