How to make dovecot password independent of server password?
Solution 1:
Dovecot conceptually separates user account information into two databases:
- The user database contains everything Dovecot needs except for the password.
- The password database contains (encrypted) user passwords.
You can have multiple databases of each type, and Dovecot will use the first one with a matching entry. There are several database backends, and you can choose different backends for the user and password databases. For example, you could use SQL for the user database and a flat passwd-like file for the password database.
In your case, it sounds like you want to configure Dovecot to use all of the normal system user information except for the password. This is a pretty common situation, as described in the System Users wiki page:
Admins often wish to use different passwords for IMAP and POP3 than for other services (eg. SSH), because IMAP and POP3 clients often send the password unencrypted over the internet without even bothering to give users any warnings. Dovecot can easily support non-system passwords for system users.
[...]
If you wish to use non-system passwords, you can use pretty much any of the Dovecot's password databases, but for simple installations you'll probably want to use passwd-file.
User database for system users is always passwd.
Here's a concrete example of how you would set it up. In your /etc/dovecot/dovecot.conf
you would put something like this:
passdb {
driver = passwd-file
args = /etc/dovecot/passwd
}
userdb {
driver = passwd
}
and your /etc/dovecot/passwd
file would contain a line like this:
root:{CRYPT}zVQDPzjspy126
The above configuration tells Dovecot to look in /etc/dovecot/passwd
for password information (and only root
is present so only that user would be able to log in) and look in the system user database for everything else.
See this answer for how to generate the encrypted password field in your /etc/dovecot/passwd
file.
Solution 2:
You want so called virtual users
- some separate accounts that are not interfere with system ones. There is lot of backends possible - plain files, SQL servers, LDAP and so on. The only suggestion - use dovecot-auth
within postfix to deal with single authorization backend.