Hi Robert
2013/3/10 Robert Schetterer - rs@sys4.de < dovecot.pkoch.74fa2fe130.rs#sys4.de@ob.0sg.net>
try read
http://wiki2.dovecot.org/PasswordDatabase/PAM
... This can be useful with e.g. pam_opie to find out which one time password you're supposed to give:
1 LOGIN username otp 1 NO otp-md5 324 0x1578 ext, Response:
I don't worry about how to use Dovecot with either SSL Client-Certitifaces or our OTP-token. SSL ClientCerts do work as expected and using our token is just a matter of finding the right PAM-module. pam_opie is the wrong module as OPIE is a method to pregenerate a list of One Time Passwords in software. What we are using is a hardware token that generates One Time Password as described in RFC 4226. There are PAM-modules out there that might do the job but since I have implemented the algorithm already into our POP3-server I could built a PAM-module myself.
What I would like to know in advance is: How do I configure Dovecot such that SSL Client-Auth is used with priority 1 and OTP-auth is used only for SSL-connections without a ClientCert. Non-SSL connections should not be allowed at all.
If that combination was not possible I'm hoping to get some hints on how to change the Dovecot source.
Kind regards
Peter