# /etc/dovecot/conf.d/20-auth.conf
# Authentication mechanisms, master/user separation, passdb chain, auth cache.
auth_mechanisms = plain login
auth_allow_cleartext = yes
auth_master_user_separator = *

auth_cache_verify_password_with_worker = yes
auth_cache_negative_ttl = 60s
auth_cache_ttl = 300s
auth_cache_size = 10M
auth_verbose_passwords = sha1:6

# 1) Lua password verification (blocking, return mapping).
passdb lua {
  driver = lua
  lua_file = /etc/dovecot/auth/passwd-verify.lua
  lua_settings {
    blocking=yes
    result_success = return-ok
    result_failure = continue
    result_internalfail = continue
  }
}

# 2) Master password for master user logins.
passdb master {
  driver = passwd-file
  passwd_file_path = /etc/dovecot/dovecot-master.passwd 
  master = yes
  skip = authenticated
}

# 3) Mandatory return layer: empty Lua (e.g. for forced reset).
passdb empty-lua {
  driver = lua
  lua_file = /etc/dovecot/auth/passwd-verify.lua
  lua_settings {
    blocking = yes
  }
}