Authentication Mechanisms ========================= Authentication mechanism means the protocol that an IMAP or POP3 client uses to communicate with Dovecot to perform the authentication. The most simple one is PLAIN mechanism, in which the client simply sends the password unencrypted to Dovecot. All clients support the PLAIN mechanism, but obviously there's the problem that anyone listening the network can steal the password. For that reason (and some others) other mechanisms were implemented. Non-PLAIN mechanisms have one major disadvantage however. In server side the password must be stored in a special format or in plaintext. This makes it impossible to use most mechanisms with commonly used DES and MD5 crypted passwords. Today however many people use SSL, and there's no problem with sending unencrypted password inside SSL secured connections. So if you're using SSL, you probably don't need to bother worrying about anything else than the PLAIN mechanism. Other non-PLAIN mechanisms include: * CRAM-MD5: Protects the password in transit against eavesdroppers. Somewhat good support in clients. * DIGEST-MD5: Somewhat stronger cryptographically than CRAM-MD5, but clients rarely support it. * APOP: This is a POP3-specific authentication. Similiar to CRAM-MD5, but requires storing password in plaintext. * NTLM: Mechanism created by Microsoft and supported by their clients. * GSSAPI: Kerberos v5 support. * RPA: Compuserve RPA authentication mechanism. Similar to DIGEST-MD5, but client support is rare. * LOGIN: Similiar to PLAIN, useful only when serving SMTP AUTH to Outlook clients (ie. pretty useless with IMAP and POP3). * ANONYMOUS: Support for logging in anonymously. This may be useful if you're intending to provide publically accessible IMAP archive. * OTP and SKEY: One time password mechanisms. Supported only by Dovecot v1.1 and later. (This file was created from the wiki on 2007-06-15 04:42)