HowTo authenticate Apache against dovecot 2.1
Introduction
Advanced mail server setups often extend a basic setup with web based additional tools like webmailers, sieve editors, vacation message configuration tools, caldav/carddav, and so on.
Authenticating such web interfaces against a part of the basic setup can really simplify things.
We do so, using the auth-socket of the dovecot POP/IMAP server (version 2.1, using dovecot's upstream packages for debian wheezy).
The following HowTo explains how we actually managed to connect apache with dovecot.
Install mod_auth_external
apt-get install libapache2-mod-authnz-external a2enmod authnz_external
Configure VirtualHost (Exampe)
# in VirtualHost or global httpd.conf context DefineExternalAuth dovecotpw pipe /etc/apache2/auth/dovecotpw.sh # in almost any context, i.e. VirtualHost, Location, Directory, ... AuthType Basic AuthName authtest AuthBasicProvider external AuthExternal dovecotpw Require valid-user
Create Wrapper-Script
Create /etc/apache2/auth/dovecotpw.sh
with this content:
#!/bin/bash read DCUSER read DCPASS /usr/bin/doveadm auth ${DCUSER} ${DCPASS} # eventually log something exit $?
Activate Apache changes
# apache must be allowed to execute the script. there are several way to accomplish this. one is: chmod 0755 /etc/apache2/auth/dovecotpw.sh apache2ctl graceful
Provide a Dovecot auth-client socket for Apache
In i.e. /etc/dovecot/local.conf
a unix_listener auth-client with wide access rights is required:
service auth { # [...] unix_listener auth-client { mode = 0666 #user = vmail } }
Activate Dovecot change
/etc/init.d/dovecot stop # make sure this is (re)created with the correct access rights. Evtl. Your path may differ rm /var/run/dovecot/auth-client /etc/init.d/dovecot start