DOVEADM-AUTH(1) Dovecot DOVEADM-AUTH(1)
NAME
doveadm-auth - Flush/lookup/test authentication data
SYNOPSIS
doveadm [GLOBAL OPTIONS] auth command [OPTIONS] [ARGUMENTS]
DESCRIPTION
The doveadm auth COMMANDS can be used to perform various authentication
related actions.
GLOBAL OPTIONS
Global doveadm(1)
-D
Enables verbosity and debug messages.
-O
Do not read any config file, just use defaults. The dovecot_stor-
age_version setting defaults to the latest version, but can be over-
ridden with
-k
Preserve entire environment for doveadm, not just import_environment
setting.
-v
Enables verbosity, including progress counter.
-i instance-name
If using multiple Dovecot instances, choose the config file based on
this instance name.
See instance_name setting for more information.
-c config-file
Read configuration from the given config-file. By default it first
reads config socket, and then falls back to /etc/dovecot/dove-
cot.conf. You can also point this to config socket of some instance
running compatible version.
-o setting=value
Overrides the configuration setting from /etc/dovecot/dovecot.conf
and from the userdb with the given value. In order to override mul-
tiple settings, the -o option may be specified multiple times.
-f formatter
Specifies the formatter for formatting the output. Supported format-
ters are:
flow
prints each line with key=value pairs.
pager
prints each key: value pair on its own line and separates records
with form feed character (^L).
tab
prints a table header followed by tab separated value lines.
table
prints a table header followed by adjusted value lines.
OPTIONS
-x auth_info
auth_info specifies additional conditions for the user command. The
auth_info option string has to be given as name = value pair. For
multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
service
The service for which the userdb lookup should be tested. The
value may be the name of a service, commonly used with Dovecot.
For example: imap, pop3 or smtp.
session
Session identifier.
lip
The local IP address (server) for the test.
rip
The remote IP address (client) for the test.
lport
The local port, e.g. 143
rport
The remote port, e.g. 24567
real_lip
The local IP to which the client connected on this host.
real_rip
The remote IP where client connected from to this host.
real_lport
The local port to which client connected to to this host.
real_rport
The remote port from where the client connected from to this host.
forward_<field>
Field to forward as %{forward:field} to auth process.
ARGUMENTS
user
The user's login name. Depending on the configuration, the login
name may be for example jane or john@example.com.
password
Optionally the user's password. doveadm(1) will prompt for the pass-
word, if none was given.
COMMANDS
auth cache flush
doveadm [GLOBAL OPTIONS] auth cache flush [-a master_socket_path] [user
...]
Flush the authentication cache. By default the cache is flushed for all
the users (which can also be done by sending SIGHUP to the auth
process). You can also flush the cache for one or more users by provid-
ing their usernames.
-a master_socket_path
This option is used to specify an absolute path to an alternative
UNIX domain socket.
By default doveadm(1) will use the socket
-x auth_info
auth_info specifies additional conditions for the user command. The
auth_info option string has to be given as name = value pair. For
multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
service
The service for which the userdb lookup should be tested. The
value may be the name of a service, commonly used with Dovecot.
For example: imap, pop3 or smtp.
session
Session identifier.
lip
The local IP address (server) for the test.
rip
The remote IP address (client) for the test.
lport
The local port, e.g. 143
rport
The remote port, e.g. 24567
real_lip
The local IP to which the client connected on this host.
real_rip
The remote IP where client connected from to this host.
real_lport
The local port to which client connected to to this host.
real_rport
The remote port from where the client connected from to this host.
forward_<field>
Field to forward as %{forward:field} to auth process.
auth lookup
doveadm [GLOBAL OPTIONS] auth lookup [-a userdb_socket_path] [-x
auth_info] [-f field] user [...]
Similar to doveadm-user(1) command, except it performs a
-a userdb_socket_path
This option is used to specify an absolute path to an alternative
UNIX domain socket.
By default doveadm(1) will use the socket
-f field
When this option and the name of a userdb field is given, doveadm(1)
will show only the value of the specified field.
-x auth_info
auth_info specifies additional conditions for the user command. The
auth_info option string has to be given as name = value pair. For
multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
service
The service for which the userdb lookup should be tested. The
value may be the name of a service, commonly used with Dovecot.
For example: imap, pop3 or smtp.
session
Session identifier.
lip
The local IP address (server) for the test.
rip
The remote IP address (client) for the test.
lport
The local port, e.g. 143
rport
The remote port, e.g. 24567
real_lip
The local IP to which the client connected on this host.
real_rip
The remote IP where client connected from to this host.
real_lport
The local port to which client connected to to this host.
real_rport
The remote port from where the client connected from to this host.
forward_<field>
Field to forward as %{forward:field} to auth process.
auth test
doveadm [GLOBAL OPTIONS] auth test [-a auth_socket_path] [-A sasl_mech]
[-x auth_info] user [password]
Test authentication for the given user.
-a auth_socket_path
This option is used to specify an absolute path to an alternative
UNIX domain socket.
By default doveadm(1) will use the socket
-A sasl_mech
The SASL mechanism used for the authentication. By default PLAIN is
used.
-x auth_info
auth_info specifies additional conditions for the user command. The
auth_info option string has to be given as name = value pair. For
multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
service
The service for which the userdb lookup should be tested. The
value may be the name of a service, commonly used with Dovecot.
For example: imap, pop3 or smtp.
session
Session identifier.
lip
The local IP address (server) for the test.
rip
The remote IP address (client) for the test.
lport
The local port, e.g. 143
rport
The remote port, e.g. 24567
real_lip
The local IP to which the client connected on this host.
real_rip
The remote IP where client connected from to this host.
real_lport
The local port to which client connected to to this host.
real_rport
The remote port from where the client connected from to this host.
forward_<field>
Field to forward as %{forward:field} to auth process.
auth login
doveadm [GLOBAL OPTIONS] auth login [-a auth_socket_path] [-m auth_mas-
ter_socket_path] [-A sasl_mech] [-x auth_info] user [password]
Test full login for the given user; i.e. performing both passdb lookup
(authentication) and userdb lookup (login).
-a auth_socket_path
This option is used to specify an absolute path to an alternative
UNIX domain socket.
By default doveadm(1) will use the socket
-m auth_master_socket_path
This option is used to specify an absolute path to an alternative
UNIX domain socket for the master socket.
By default doveadm(1) will use the socket
-A sasl_mech
The SASL mechanism used for the authentication. By default PLAIN is
used.
-x auth_info
auth_info specifies additional conditions for the user command. The
auth_info option string has to be given as name = value pair. For
multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
service
The service for which the userdb lookup should be tested. The
value may be the name of a service, commonly used with Dovecot.
For example: imap, pop3 or smtp.
session
Session identifier.
lip
The local IP address (server) for the test.
rip
The remote IP address (client) for the test.
lport
The local port, e.g. 143
rport
The remote port, e.g. 24567
real_lip
The local IP to which the client connected on this host.
real_rip
The remote IP where client connected from to this host.
real_lport
The local port to which client connected to to this host.
real_rport
The remote port from where the client connected from to this host.
forward_<field>
Field to forward as %{forward:field} to auth process.
EXAMPLE
This example demonstrates an imap authentication test for user john, as-
suming the user is connected from the host with the IP address
192.0.2.143.
doveadm auth test -x service=imap -x rip=192.0.2.143 john
Password:
passdb: john auth succeeded
extra fields:
user=john
REPORTING BUGS
Report bugs, including doveconf -n output, to the Dovecot Mailing List
⟨dovecot@dovecot.org⟩. Information about reporting bugs is available at:
https://dovecot.org/bugreport.html
SEE ALSO
doveadm(1)
78ffb79 March 2025 DOVEADM-AUTH(1)
Generated by dwww version 1.16 on Tue Dec 16 05:44:50 CET 2025.