Users wishing to send and receive email with your Mail server need to authenticate to your server. There are a few different protocols that you can choose from.
Authentication based on where user accounts are hosted
The Mail server determines where the user accounts for your server come from and chooses authentication methods based on how those accounts themselves are authenticated. For example, if all your user accounts are local accounts, the Mail server uses Digest (CRAM-MD5) authentication. If all your user accounts came from an Open Directory server, the Mail server enables both Kerberos and Digest authentication.
If the account authentication source is mixed, the Mail server enables the various methods that are supported. This is the default state, indicated by Automatic in the Authentication pop-up menu. You can change this default behavior by enabling a set of authentication methods based on what’s supported by a specific authentication source, or you can customize specific authentication methods.
The following table indicates which authentication sources are supported when you choose various directory services:
Authentication source | Supported methods |
|---|---|
Open Directory | Kerberos, Digest |
Active Directory | Kerberos, Cleartext |
Local Users | Digest |
Note: While the Server app designates the authentication source for both incoming and outgoing email, you can specify different authentication methods for incoming and outgoing email using the command line.
Authentication methods
Kerberos: A secure authentication method that allows multiple computers to share that same authentication system. This is usually used in larger organizations. Kerberos is activated if you enable your server as an Open Directory master server. Kerberos in OS X Server is based on the Heimdal 1.5.1 implementation.
Digest (CRAM-MD5): An authentication method that uses a challenge-response mechanism to encrypt the login information between the email client and your Mail server. Digest mode offers a high level of security, but slightly below Kerberos.
APOP: A challenge-response mechanism to encrypt POP email login information. APOP offers similar security to Digest, but only works with POP email.
Cleartext: Sends mail passwords as plain text over the network. You should only use this authentication method, which doesn’t encrypt passwords, if you’re using SSL to encrypt all network transport for mail service.