Category Archives: Dovecot

Authenticating Squid with Dovecot

Authenticating Squid

Squid provides the mechanism to require users to sign on before it will start proxying for them.

In the libexec directory (on my freeBSD system /usr/local/libexec/squid are a number of authentication scripts. Here is a list of some in mine.

ncsa_auth               smb_auth                squid_dbpg_auth
digest_pw_auth          logfile-daemon          ntlm_auth                   squid_kerb_auth         yp_auth
msnt_auth               pam_auth                squid_db_auth

As I’m using Dovecot and Postfix.admin, I want to use the same password that I use for my mail system to use the proxy.

System Components

  • PostgreSQL
  • Postfix.admin
  • Dovecot
  • Squid

The mail system is up and running, so the tables with the user names and passwords is available.

The squid system does not need to update, delete or add any records – it is simply going to pass a user name and a password and see if these match.

The squid_db_auth File

There is a predefined file for using a database to authenticate.  This is a good place to start.  Rather than modify the build in file, I copied it to squid_pgdb_auth and made changes to this.

The Dovecot Password

Dovecot provides the mail services (IMAP) so any password checking needs to be done using the same method. This meant I needed to add a function to transform the password into the same format as Dovecot.

Thankfully a bit of google-fu dug up a useful function written by William K. Cole. Thanks! William

I was able to add his function into the squid_pgdb_auth script and it ran flawlessly.  Williams code is marked in blue and the extra line in the password checking function is also marked in blue.

You will need to complete the settings at the top in red to point to the correct database and set up the user and password settings

Click to see the squid_dbpg_auth script.

Activating the authentication in Squid

In order to tell Squid to use this method, the following lines need to be added to Squid.conf.

# postgresqauthentification.
auth_param basic program /usr/local/libexec/squid/squid_dbpg_auth
auth_param basic children 5
auth_param basic realm Home Squid postgres proxy-caching web server
auth_param basic credentialsttl 300 minutes
auth_param basic casesensitive off

Next time you attach to Squid, it will pop up a dialog requesting your user name and password. These will be the same as for your mail system.


William Cole and his really helpful script at



Missing dovecotpw command

When installing the Dovecot IMAP server and Postfix.admin , one of the Postfix.admin configuration lines required the dovecotpw command which wasn’t included in the version (2.1.3) of Dovecot I had installed.

The doveadm utility performs all the management functions, but simply calling this from postfix admin didn’t work.

Here’s the small wrapper I wrote around the doveadm program so the postfixadmin sees a dovecotpw utility

# front end to mimic dovecotpw using doveadm for postfixadmin
# doveadm pw [-l] [-p plaintext] [-r rounds] [-s scheme] [-t hash] [-u user] [-V]

cmdargs="pw "
while getopts ":lp:r:s:t:u:V" opt ; do
case $opt in 
        l ) cmdargs="$cmdargs -l ";;
        V ) cmdargs="$cmdargs -V ";;
        p ) cmdargs="$cmdargs -p $OPTARG " ;;
        r ) cmdargs="$cmdargs -r $OPTARG " ;;
        s ) cmdargs="$cmdargs -s $OPTARG " ;;
        t ) cmdargs="$cmdargs -t $OPTARG " ;;
        u ) cmdargs="$cmdargs -u $OPTARG " ;;
shift $(($OPTIND - 1))

/usr/bin/doveadm $cmdargs

I placed this in /usr/local/bin and referenced it directly from the postfixadmin configuration file.

Make the file executable by using chmod.

mailserv:/root # chmod 755 /usr/local/bin/dovecotpw
mailserv:/root # ls -al /usr/local/bin/dovecotpw 
-rwxr-xr-x 1 root root 519 Feb  6  2013 /usr/local/bin/dovecotpw

Here are the relevant lines from the postfixadmin configuration file (In OpenSuse 12.3 this file is found in /srv/www/htdocs/postfixadmin/

$CONF['encrypt'] = 'dovecot:CRAM-MD5';
// If you use the dovecot encryption method: where is the dovecotpw binary located?
$CONF['dovecotpw'] = "/usr/local/bin/dovecotpw";