HowTo authenticate Apache against dovecot 2.1


Advanced mail server setups often extend a basic setup with web based additional tools like webmailers, sieve editors, vacation message configuration tools, caldav/carddav, and so on. 

Authenticating such web interfaces against a part of the basic setup can really simplify things.

We do so, using the auth-socket of the dovecot POP/IMAP server (version 2.1, using dovecot's upstream packages for debian wheezy).

The following HowTo explains how we actually managed to connect apache with dovecot.

Install mod_auth_external


apt-get install libapache2-mod-authnz-external

a2enmod authnz_external


Configure VirtualHost (Exampe)


# in VirtualHost or global httpd.conf context
DefineExternalAuth dovecotpw pipe /etc/apache2/auth/
# in almost any context, i.e. VirtualHost, Location, Directory, ...
AuthType Basic
AuthName authtest
AuthBasicProvider external
AuthExternal dovecotpw
Require valid-user

Create Wrapper-Script

Create /etc/apache2/auth/ with this content:

/usr/bin/doveadm auth ${DCUSER} ${DCPASS}
# eventually log something
exit $?

Activate Apache changes


# apache must be allowed to execute the script. there are several way to accomplish this. one is:
chmod 0755 /etc/apache2/auth/

apache2ctl graceful


Provide a Dovecot auth-client socket for Apache

In i.e. /etc/dovecot/local.conf a unix_listener auth-client with wide access rights is required:


service auth {
  # [...]
  unix_listener auth-client {
    mode = 0666
    #user = vmail

Activate Dovecot change

/etc/init.d/dovecot stop
# make sure this is (re)created with the correct access rights. Evtl. Your path may differ
rm /var/run/dovecot/auth-client
/etc/init.d/dovecot start