Hello,
I would like to implement some kind of two factors authentication, in Dovecot.
I am thinking about using the post login script, to check for unusual behaviour, like say, a different country / IP address or an unusual hour.
I already wrote a simple shell script that check these factors, but now, I have some options for the following, and I need to know your opinion if this is feasible or not.
I want to use google authenticator Debian package (support the HMAC- Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP))
The challenge would be send via XMPP. This second part is fairly easy to do, I have all the packages on Debian, for instance sendxmpp. The first tests are promising.
In case of success, the IP address is added to the list, let's say for one month...
My back-end for authentication is OpenLDAP.
My questions are:
- Do you see any performance issues for other users or login processes, if I implement this?
- I am planning to use a timeout, for instance one minute to confirm the connection. Does Dovecot have a timeout on its side, that would abort the connection before?
Otherwise:
- Is it possible to have multiple authentication back-ends in Dovecot? For instance LDAP and/or OTP?
- I think to have seen some TFA options in Dovecot, but AFAICS, they are mandatory.
Thanks for your insights, and this fabulous software.
-- André Rodier HomeBox: https://github.com/progmaticltd/homebox