[Dovecot] Ideas for Webmail/OTP

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 23 Jul 2007, Frank Behrens wrote:

> Solution 1:
> When PAM is configured for IMAP the user can use a one-time-password in the same way
> as before. The problem is, that the user must know the sequence number for the password
> (otp challenge), so we need a way to display it. The PAM module supplies the otp challenge
> in the conversation function, but the challenge is not processed by the IMAP server.
> My proposal: The IMAP server stores the challenge from the conversation function and
> includes it in the LOGIN response, when the login was not successful. So a user can try a
> login with a wrong dummy password and get knowlegdge about the current otp sequence.

You mean, the client issues LOGIN (with a dummy password), because Dovecot
needs to aquire the OTP challenge first, this LOGIN attempt is failed,
but the username can be used to aquire the OTP challenge.  It is reported
back, via the LOGIN failure string and, secondly, another LOGIN attempt
is sent, this time with the same username and a real password.

I guess, you'll need to tweak the webmail interface a bit, that this
sequence is working well.

There are time-related OTPs, where the sequence number is derived from the 
current time. When a client tries a logon, the server calculates plenty of 
OTPs in the "near" of the current time and adjust itself to the client, in 
case the device's clock is running too slow or fast.

I would say, this kind is more suitable for this purpose. However, one requires
some sort of electronical device for it.

> Solution 2:
> Webmail clients do not use persistent connections in most cases. A OTP login needs
> different passwords for every displayed web page.
> My proposal: Use dovecot's login cache and do not ask the os for every login. :-)

This will definitely a must then.

> Solution 3:
> My proposal: Create a new IMAP command "XSETREMOTEIP". With this IMAP extension a
> client can set the real IP address of remote client. The access to this command is restricted
> to the webserver with a new configuration parameter "trusted clients", which holds an IP
> address with mask.

Hmm, any clients accessing webmail via the same proxy or from the same 
NATed organisation will use the same IP, dial-up IPs switch the users more 
often than anything else. I don't think that restricting by IPs you have 
no knowlegde about is save.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRrgspy9SORjhbDpvAQIJmAgA06boNvZrFTS4kNyky6ywUiYv9CHu99tI
GT4iQNezyZz0PensPgGJp6ZAJGDdlAZ1ZxWBth1JCvpVZSBCwnbmbEbWnYtCi9OR
v/eynzRFta/11nFy0+AB1Pf2BuoFFPtXy+hC6DnpPcLutD4Q+bvm3Kqdry72PmyQ
lBUg8TxTwuDZ0sY0TTAP6VaJCmTG1RvnC5dZp4f6C3yN7kwXbcgS1rkHGr8V6Frs
z9ZXMkRYUCpG/ufCQqFB9YTAAOxWM8DrKsmQZNClmkypc+q+v0w11BfcF6SK7v9I
cdQqSca7AmXR4q2UYoyvAGGn7rF0cDJJXKI0iQWfWr2nchnx0/PoUA==
=wZxi
-----END PGP SIGNATURE-----