External Authenticator programs can be used to provide authentication, provisioning, and routing services using external data sources.
The External Authenticator Interface protocol is based on the generic [Helper Protocol](External Authenticator).
This manual describes the External Authenticator Interface Version 11.
When a user should be authenticated using the clear text method, the Server sends the following command:
nnnnnn VRFY (mode) name@domain password [loginAddress]
When a user should be authenticated using a secure SASL method, the following command is sent:
nnnnnn SASL(method) (mode) name@domain password key [loginAddress]
If the password is accepted, the External Authenticator should return a positive response:
If the password was not accepted, a negative response should be returned:
nnnnnn ERROR optional-error-message
If the password is accepted, and there is an authentication response to be returned to the client, a positive response with a quoted string should be returned:
nnnnnn RETURN "authentication-response"
SASL password verification requires that the External Authenticator program correctly implements all supported SASL methods and algorithms. Alternatively, the External Authenticator program can return the user plain text password, making the Server verify the password and calculate necessary authentication responses. The user plain text password should be returned as a quoted string:
nnnnnn PLAIN "plain-text-password"
Sample session (I: - server commands sent to the program standard input, O: - responses the program writes to its standard output):
I: 00001 INTF 1 O: 00001 INTF 1 I: 00010 VRFY firstname.lastname@example.org dsyui134 O: 00010 OK I: 00011 VRFY (IMAP) email@example.com jskj23#45 [10.0.3.4] O: 00011 ERROR incorrect password I: 00012 SASL(CRAM-MD6) firstname.lastname@example.org hdkj547812329394055 <email@example.com> [10.0.1.4] I: 00013 VRFY (IMAP) firstname.lastname@example.org "jskj23\"45" O: 00013 OK O: 00012 ERROR unsupported SASL method