Bernhard Scheirle

About Me

Hello, my name is Bernhard.
I'm a software developer and free software enthusiast.

Contact Me


Authenticate XMPP user with dovecot SASL


A few days ago I decided that I want to run my own XMPP (jabber) server. Since I don't want to have another user database I searched for a solution to reuse my current e-mail database.

Luckily dovecot (my e-mail deamon) already supports this. Dovecot has a feature called SASL which allows other software to ask dovecot if a given user name and password is valid.


I first tried ejabberd (Community). Ejabberd does not support dovecot SASL by itself, but there are external scripts to authenticate users. There also is already a perl script which uses dovecot, but it didn't worked so well for me (From the current point of view: I didn't tried hard enough).

So instead I decided to use a python script which uses a MySQL backend. True, now I didn't use dovecot :(, but since dovecot itself uses a MySQL database to store all user, I still had the central user storage. I had to change quite a bit till the script worked; but still, it crashed quite often.

An additional problem was that if the script crashes the next authentication will fail and ejabberd logs the user password! (regardless of the log level) The user will see a wrong password message (even if the password is correct), and then ejabberd restarts the script.

Well, that seems wrong and so I decided to try a different XMPP server.


Prosody also does not support dovecot SASL by itself and there also is a external authenticator for this purpose: mod_auth_dovecot

The setup worked quite well the only problem was that dovecot SASL always denied the authentication. It needed quite some code digging and "discussions" (telnet) with the dovecot SASL to isolate the problem:

According to the dovecot authentication protocol a user should ask for authentication by sending following request:

AUTH    <id>    PLAIN   service=<service>   resp=<base64>

where id is just an identifier, service is the service requesting authentication and base64 the encoded username and password.

Now looking at the output from mod_auth_dovecot:

AUTH    1   PLAIN   service=xmpp    resp=AFRoaXNJc1RvdGFsbHlNeUVtYWlsQWRkcmVzc0FuZFBhc3N3b3Jk

Well everything looks fine, the problem is, my dovecot configuration denies the authentication for unknown services. Sadly I didn't found out how to accept the xmpp service (If you know this, please let me know it).

So instead I modified mod_auth_dovecot to output imap as service instead of xmpp. This should not have any side effects because the request is only for authentication and nothing else. So the services which does the request doesn't matter.


Right now I use prosody with my 2 character modification and it works quite well. I know it's not the best way, but the easiest.

XMPP-Logo: Licensed under MIT


There are no comments yet. Why aren't you the FIRST and shout something?

Add a Comment

You may format you comment with Markdown.

Comment Atom Feed