Skip to content
Dovecot Authentication Protocol client library.
Python Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



A client for the Dovecot Authentication Protocol v1.1.


Dovecot is a convenient authentication backend for some stuff running on my server, most notably the OpenID provider it looks as if I'm going to have to write, and it's less trouble to write a small client to talk to it than get something talking to PAM.

I figure that somebody might be in the same position, so why not unbundle it from the OpenID provider.


To set up your development environment, run:

make dev

To upload a new release to PyPI:

make release



This API is subject to change.

Use the connect context manager to connect to a DAP server. This takes a service name (such as 'imap') and either a path to a Unix domain socket or in the unix named parameter, or a tuple consisting of a hostname and port number in the inet named parameter.

The context manager returns a Protocol object, on which you can called the auth method. This takes the name of a SASL mechanism (currently only 'PLAIN' is supported), a username, and a password, as well as a number of additional arguments optional arguments, which I need to document.

The return value is a two tuple, consisting of a boolean indicating success or failure and the arguments of the response as a dictionary, or None, indicating a CONT response and that further data is needed.

For instance:

with connect('imap', unix='./auth.sock') as conn:
    status, flags = conn.auth('imap', username, password)
    if status:
        print("Authentication succeeded")
        print("Authentication failed or needs more data")


The library comes with two demonstrations, allowing you to test it out separately from Dovecot itself. Running server will give you a simple DAP server, and client gives you a command-line client. Note, however, that both are not intended to be robust, but just to give you enough to test things out.

Both share two flags --unix and --inet. The former lets you specify a Unix domain socket path, and the latter allows you to specify an address to bind/connect to in the form address:port.

The client also allows you to specify the service name with the --service flag ('imap' by default), the SASL mechanism to use with the --mech flag (currently only 'PLAIN' is supported, so this can be ignored for now), and a username, which defaults to the value of the USER environment variable.

For example:

./ client --unix ./auth.sock --user user

You will then be prompted for a password.

The server takes a flag, --htpasswd, which allows you to specify the path to a htpasswd file to authenticate against:

./ server --unix ./auth.sock --htpasswd ./passwd
You can’t perform that action at this time.