I have dovecot installed to run the imap/pop side of my email server (with virtual hosting). The problem I am encountering is as long as the person has a legit virtual mailbox, it allows anything as the password. Here is my dovecot.conf: base_dir = /var/run/dovecot/ protocols = imap pop3 imaps pop3s ssl_disable = no ssl_cert_file = /etc/postfix/ssl/server.crt ssl_key_file = /etc/postfix/ssl/server.key ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat ssl_parameters_regenerate = 24 log_path = /var/log/dovecot info_log_path = /var/log/dovecot.info login_dir = /var/run/dovecot/login login_chroot = yes login = imap login_executable = /usr/lib/dovecot/imap-login login_user = dovecot login = pop3 login_executable = /usr/lib/dovecot/pop3-login verbose_ssl = yes valid_chroot_dirs = /var/spool/vmail default_mail_env = maildir:/var/spool/vmail/%d/%n imap_executable = /usr/lib/dovecot/imap pop3_executable = /usr/lib/dovecot/pop3 auth = default auth_mechanisms = plain digest-md5 auth_userdb = passwd-file /etc/dovecot/users auth_passdb = passwd-file /etc/dovecot/passwd auth_executable = /usr/lib/dovecot/dovecot-auth auth_user = root auth_verbose = yes Here is the "passwd" file: # # Virtual Users Passwords # passdb [email protected]::$1$WW8U2exN$6OZPhyJz5JSDijoipZjurl [email protected]::$1$HEXJlljE$Upc279qHenYFBYflaossk/ the "user" file: # # Virtual User Accounts # userdb [email protected]::1000:1000::/var/spool/vmail/domain.net/:bin/false:: [email protected]::1000:1000::/var/spool/vmail/domain.net/:bin/false:: The passwords are MD5 encoded, generated by mkpasswd.pl Help? Thanks!