This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.

This entry documents the basic process for setting up CRAM-MD5 authentication for Dovecot.

Firstly, you need to enable the mechanism and specify a passwd database file in Dovecot. The mechanism and passdb file are specified in the dovecot.conf configuration file, on a Red Hat or similar system this is located in the /usr/local/etc/ directory.

auth default { 
# Space separated list of wanted authentication mechanisms: 
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi 
mechanisms = plain login cram-md5

# passwd-like file with specified location 
passdb passwd-file { 
  # Path for passwd-file. Also set the default password scheme (v1.1+)
  args = scheme=cram-md5 /etc/cram-md5.pwd 
# [...]

You see that I’ve added the cram-md5 mechanism to the mechanisms statement and then added a passdb file, /etc/cram-md5.pwd.

Next, you need to create this passdb file and set appropriate permissions.

# touch /etc/cram-md5.pwd 
# chmod 0600 /etc/cram-md5.pwd

After creating the file you need to add your users and hashed passwords to the passdb file. The users and passwords are added in the format:


Dovecot has a utility that allows you to convert passwords to the appropriate hashes. This utility is called dovecotpw and is installed into the /usr/local/sbin directory or is available in the source package in the src/util directory. You can run dovecotpw like so:

# dovecotpw 
Enter new password: password
Retype new password: password

Enter the user’s password when prompted and it will be converted and outputted as a hash. The default hashed output is in the CRAM-MD5 scheme (old Dovecot versions called the scheme HMAC-MD5, which is confusing because it's not the real HMAC-MD5). You can change the scheme of the outputted hashes using the -s command line switch.

Now add the generated password to the passdb file, /etc/cram-md5.pwd.


Finally, restart Dovecot and test authentication by enabling the appropriate mechanism in your email client. For example, to enable CRAM-MD5 authentication in Thunderbird you need to check the “Use secure authentication” checkbox in the Account Settings page.

I recommend that you also use TLS/SSL to encrypt the authentication process as well.

None: HowTo/CRAM-MD5 (last edited 2011-01-28 01:41:54 by TimoSirainen)