The issue related to plugins that use or advertise other capabilities, is that is has to have a hook to modify what's advertised. We are having that same challenge where we use CLIENTID as a component for two factor as well, but of course the important thing before we can release the plugin, is for the ability for plugins to "advertise" capabilities.
Still waiting for that to get the green light on our patch, so we can publish some of our plugins related to this, and other things that require the ability to advertise the capability string.
Variable Capabilities Patch https://github.com/dovecot/core/pull/86
As an aside, another aggressive botnet launched on April 1st, trying to test all the information in the large breached data, appears to be 'verifications.io' breach.. As long as these types of breaches occur, we need more universal methods for two factor.. hoping to see movement on that pull request, so we can share more of what we are doing in our custom environments.
On 2019-04-02 11:16 p.m., André Rodier via dovecot wrote:
Hello,
I would like to implement some kind of two factors authentication, in Dovecot.
I am thinking about using the post login script, to check for unusual behaviour, like say, a different country / IP address or an unusual hour.
I already wrote a simple shell script that check these factors, but now, I have some options for the following, and I need to know your opinion if this is feasible or not.
I want to use google authenticator Debian package (support the HMAC- Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP))
The challenge would be send via XMPP. This second part is fairly easy to do, I have all the packages on Debian, for instance sendxmpp. The first tests are promising.
In case of success, the IP address is added to the list, let's say for one month...
My back-end for authentication is OpenLDAP.
My questions are:
- Do you see any performance issues for other users or login processes, if I implement this?
- I am planning to use a timeout, for instance one minute to confirm the connection. Does Dovecot have a timeout on its side, that would abort the connection before?
Otherwise:
- Is it possible to have multiple authentication back-ends in Dovecot? For instance LDAP and/or OTP?
- I think to have seen some TFA options in Dovecot, but AFAICS, they are mandatory.
Thanks for your insights, and this fabulous software.
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.