Quick, dirty, simple PHP to use `doveadm auth` to validate a user's plaintext password against the stored hash without exposing the password through shell commands. Note: This assumes that you already have dovecot's auth backend set up and working. Also, there does not appear to be a simple way to feed in a pre-computed hash, it will only use th…

DoveadmAuth.php

<?php
class DoveadmAuth {
	public static function auth($username, $password) {
		$descriptors = array(
			0 => array('pipe', 'r'),
			1 => array('pipe', 'w'),
			2 => array('pipe', 'w'),
		);
		$cwd = sys_get_temp_dir();

		$proc = proc_open(
			'doveadm auth ' . escapeshellarg($username),
			$descriptors, $pipes, $cwd
		);
		if( ! is_resource($proc) ) { throw new Exception('failed to create auth process'); }
		fwrite($pipes[0], $password);
		fclose($pipes[0]);

		$stdout = stream_get_contents($pipes[1]);
		$stderr = stream_get_contents($pipes[2]);
		fclose($pipes[1]);
		fclose($pipes[2]);

		$rval = proc_close($proc);

		return array($rval, $stdout, $stderr);
	}
} // -- end class DoveadmAuth

/* Example Call
print_r(DoveadmAuth::auth('user@domain.com', 'P@ssw0rd'));
*/

/* Example output:
// Successful Auth
Array
(
  [0] => 0
  [1] => passdb: user@domain.com auth succeeded
extra fields:
  user=user@domain.com

  [2] =>
)

// Unsuccessful Auth due to bad password
Array
(
  [0] => 1
  [1] => passdb: user@domain.com auth failed
extra fields:
  user=user@domain.com

  [2] =>
)

// Unsuccessful Auth due to an error [spurios flag introduced]
Array
(
  [0] => 1
  [1] => doveadm auth [-a <auth socket path>] [-x <auth info>] <user> [<password>]

  [2] => auth: invalid option -- 'u'

)
*/