Jochen Bern Jochen.Bern@binect.de (Mi 25 Okt 2017 14:44:26 CEST): …
additional account within the mail client (thunderbird) they use. From users perspective it is exactly what they want. But I dislike the idea of sharing the password.
For what reason exactly? It not being personalized, too easy to leak, potentially not expiring ever, ... ?
If some of the users isn't allowed to access that "role" account anymore, then I've to "revoke" the old password and to re-issue a new one to the lefterover members for that role.
dovecot can take the "username" from a client certificate used in the …
Client certificates are no option currently, as it is difficult to maintain and probably not compatible with a broader range of MUAs.
…
I seem to remember that at least some of the userdb backends dovecot supports allow to have *several different* passwords stored for userB, too ... (But that would probably imply that you cannot allow userB to change "the" password themselves.)
That brings some other idea: We use LDAP authentication. It is possible to have multiple (how many?) userPassword fields per LDAP object. If we are able to track the password hashes (which hash for which user), we can have each user using his very own password to login as another user (provided that other user has an additional userPassword field)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -