SQL Authentication Howto

NOTE: This page is a work in progress, and has not been tested. It may or may not be of any use, may contain numerous errors, and may turn your tongue a strange color. Use at your own risk.

First, install and configure MySQL (root user and password, access rules, firewall rules, etc) following the directions found on numerous web sites on the internet. This will be operating system dependent, and vary based on your needs.

Next, install Horde and IMP, following directions found elsewhere on this wiki. Specific instructions vary by operating system and your access to the system.

Then, install dovecot, following the instructions on http://wiki.dovecot.org/ and configure dovecot to use MySQL as per the directions at http://wiki.dovecot.org/AuthDatabase/SQL

We will assume that dovecot's SQL database is setup like the example at http://wiki.dovecot.org/AuthDatabase/SQL:

    userid VARCHAR(128) NOT NULL,
    domain VARCHAR(128) NOT NULL,
    password VARCHAR(64) NOT NULL,
    home VARCHAR(255) NOT NULL,

Now, configure IMP:

Now, configure Horde:

If you are not using domains, then use the following queries:

If you are using domains, then use the following queries:

NB: We do not (in this wiki page) use the uid/gid fields. If you need these fields, you will need to modify the queries to include them, as appropriate. In the same vain, you could add additional fields as well, if needed or desired.

If you need to use multiple virtual domains, you might see the web page http://wiki.vpslink.com/HOWTO:_ISP-style_Email_Server_with_Debian-Etch_and_Postfix_2.3 which could provide much inspiration for the sql database setup.

Comment from another user: You can also do it the other way - let Dovecot authenticate against the Horde users table, like I do:

1. Add a dovecot user to the SQL server (I use PostgreSQL).
2. Amend permissions for the the 'horde_users' table to give the 'dovecot' user read (SELECT) permission.
3. Use the following (amend as needed - the example assumes you are using PostgreSQL) in /etc/dovecot/dovecot-sql.conf:

driver = pgsql
connect = host=localhost dbname=horde user=dovecot password=
default_pass_scheme = MD5-CRYPT
password_query = SELECT user_uid AS username, user_pass AS password FROM horde_users WHERE user_uid = '%u'
iterate_query = SELECT user_uid AS username FROM users

4. I use a static user database in Dovecot, so I didn't need the "user_query"
5. Add the following to /etc/dovecot/dovecot.conf:

userdb {
args = uid=vmail gid=vmail home=/srv/dovecot/%u
driver = static

passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf

Amend the above to suit your setup. Don't forget to set MD5-CRYPT as password encryption in Horde as well. One advantage of doing things this way is that passwords can be changed and new users added through Horde - and they will apply to Dovecot as well.

Comment from Deny Dias <deny at macpress dot com dot br>: Integrating Horde to ViMbAdmin

From http://www.vimbadmin.net/:

"The ViMbAdmin project (vim-be-admin) provides a web based virtual mailbox administration system allowing mail administrators to manage domains, mailboxes and aliases."

To integrate ViMbAdmin as an authentication backend to Horde, you can follow this quite simple steps. Pay attention that this method DO NOT take into account multiple virtual domains. It also do not provides the functions to UPDATE and DELETE users at ViMbAdmin database as this may extend vulnerability surface. Just count on ViMbAdmin for the regular user management (CRUD).

1. In your database, grant to the horde user just the minimal set of required permissions at ViMbAdmin mailbox table:

GRANT SELECT (`username`, `password`, `active`) ON `vimbadmin`.`mailbox` TO 'horde'@'localhost';

2. Configure basic database access as shown above, but use the horde user credentials and prefer unix socket to database connection.

3. Add these queries to Horde configuration:

query_auth: SELECT username, password FROM mailbox WHERE username = \L AND password = \P AND active = 1
query_getpw: SELECT password FROM mailbox WHERE username = \L AND active = 1
query_list: SELECT username FROM mailbox WHERE active = 1
query_exists: SELECT 1 FROM mailbox WHERE username = \L AND active = 1

4. Leave query_add, query_update, query_resetpassword and query_remove blank.

5. Set [auth][params][encryption] to the algorithm that fit your needs.

Generate the new configuration file and you're done.