Steffen Kaiser <> wrote on 7 Aug 2007 10:26:
You mean, the client issues LOGIN (with a dummy password), because Dovecot needs to aquire the OTP challenge first, this LOGIN attempt is failed, but the username can be used to aquire the OTP challenge. It is reported back, via the LOGIN failure string and, secondly, another LOGIN attempt is sent, this time with the same username and a real password.
Yes, this was my intention.
I guess, you'll need to tweak the webmail interface a bit, that this sequence is working well.
It's easy: If a login fails the webmailer has to write an error message in any case. Simply include the IMAP error response.
There are time-related OTPs, where the sequence number is derived from the current time. When a client tries a logon, the server calculates plenty of OTPs in the "near" of the current time and adjust itself to the client, in case the device's clock is running too slow or fast.
Of course, this is more sophisticated and more expensive. My proposol uses OPIE - One- time Passwords In Everything. But remember: With my proposal you use always the login configuration from operating system. If you have a pam module for an electronic one-time password generator you can use it with IMAP and webmail without additional changes in IMAP- or webmail-server.
Solution 3: My proposal: Create a new IMAP command "XSETREMOTEIP". With this IMAP extension a client can set the real IP address of remote client. The access to this command is restricted to the webserver with a new configuration parameter "trusted clients", which holds an IP address with mask.
Hmm, any clients accessing webmail via the same proxy or from the same NATed organisation will use the same IP, dial-up IPs switch the users more often than anything else. I don't think that restricting by IPs you have no knowlegde about is save.
I meant it inversely. You can allow the usage of "normal" passwords for all IMAP and webmail clients in local network and restrict external clients to OTP. With pam configuration you make this decision for all logins (ssh, ftp), not only for IMAP with dovecot.
Regards, Frank
Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.