How to make dovecot not ask passwords from localhost?

I have set up dovecot server and I'm currently using offline imap to sync my gmail to the dovecot imap running on the localhost.

Currently I'm using plain text authentication, but this results in every single mail client to ask & remember my user name password just to access mail from localhost.

Is there a way to set up dovecot such that it will not ask me for authentication when I'm trying to log in to it from gnus from localhost for example? Or make it ask pam/gnomekeyring/anything to not ask me?

ps. there are no plans to allow accessing dovecot server not from localhost. Not even from local network.


Solution 1:

Three options come to my mind:

  • First, if you are on the same machine, you could just use the underlying mail store directly, without going thru IMAP. Depending on the store and client used, this may result in some troubles reflecting changes back to IMAP, though.

  • Second, use Dovecot's mechanism for pre-authenticated sessions, together with an inetd or ucspi-tcp's tcpserver if you need to listen on a TCP port for you client of choice.

  • Finally, you could setup Kerberos ticket authentication and use that with Dovecot via GSSAPI. But that's probably overkill for your scenario.

Solution 2:

The comment from @grawity on the other answer, although now outdated, led me to the solution I needed. It deserves an answer of its own. This answer to a closely related question provided the missing link.

Pre-authenticated sessions can be obtained by piping through a Dovecot command. Recent (>= 2.0) versions of Dovecot provide the imap command, which on Debian and Ubuntu is located at /usr/lib/dovecot/imap. On older versions you'd instead run dovecot --exec-mail imap (located in /usr/sbin).

For my mutt, the required .muttrc setting would thus be

tunnel=/usr/lib/dovecot/imap

Solution 3:

Nowadays (2.2.32+) Dovecot allows you to create a passdb definiteion, that has the options allow_real_nets=127.0.0.1/32 and nopassword in the override_fields setting. This will allow any password, but only from the specified subnet (IE localhost). You can still use your normal passdb definition to ensure the mailbox correctly exists, but use override_fields or similar to set these two options to restrict it.