Authentication Mechanisms
=========================

Authentication mechanism means the protocol that an IMAP or POP3 client uses to
communicate with Dovecot to perform the authentication. The most simple one is
PLAIN mechanism, in which the client simply sends the password unencrypted to
Dovecot. All clients support the PLAIN mechanism, but obviously there's the
problem that anyone listening the network can steal the password. For that
reason (and some others) other mechanisms were implemented.

Non-PLAIN mechanisms have one major disadvantage however. In server side the
password must be stored in a special format or in plaintext. This makes it
impossible to use most mechanisms with commonly used DES and MD5 crypted
passwords.

Today however many people use SSL, and there's no problem with sending
unencrypted password inside SSL secured connections. So if you're using SSL,
you probably don't need to bother worrying about anything else than the PLAIN
mechanism.

Other non-PLAIN mechanisms include:

 * CRAM-MD5: Protects the password in transit against eavesdroppers. Somewhat
   good support in clients.
 * DIGEST-MD5: Somewhat stronger cryptographically than CRAM-MD5, but clients
   rarely support it.
 * APOP: This is a POP3-specific authentication. Similiar to CRAM-MD5, but
   requires storing password in plaintext.
 * NTLM: Mechanism created by Microsoft and supported by their clients.
 * GSSAPI: Kerberos v5 support.
 * RPA: Compuserve RPA authentication mechanism. Similar to DIGEST-MD5, but
   client support is rare.
 * LOGIN: Similiar to PLAIN, useful only when serving SMTP AUTH to Outlook
   clients (ie. pretty useless with IMAP and POP3).
 * ANONYMOUS: Support for logging in anonymously. This may be useful if you're
   intending to provide publically accessible IMAP archive.
 * OTP and SKEY: One time password mechanisms. Supported only by Dovecot v1.1
   and later.

(This file was created from the wiki on 2007-06-15 04:42)