Mixed Autehtnication and password schemes
Hi
Looking for some confirmation/direction on how to achieve the following.
We have a requirement to support both SASL PLAIN and DIGEST-MD5 authentication (certification reasons). In addition to this we have an application (webmail) that utilises a master password pattern for access, as the contain web portal provides the necessary authentication.
I have access to users passwords in PLAIN text and looking to utilise the dict lookup mechanism for passwords.
Problem #1
https://wiki2.dovecot.org/Authentication/MultipleDatabases - "Currently the fallback works only with the PLAIN authentication mechanism."
The above not suggests I can't use DIGEST-MD5 with master password configuration, if using more than one passdb setup. I don't understand why there would be a restriction as the password validation should just fall through irrespective.
Problem #2 How do I enforce some kind of account access policy
Currently we're backing the authentication with an Identity and Authentication system. I would like to block IMAP access if a user's account is locked out, expired, or inactive. Similarly if there are too many IMAP attempts with the incorrect password I would like the account system wide to be locked out.
With Dict lookup I don't seem a mechanism to keep the IDM system aware of login attempt/failures, since it pulls the plaintext password and validates internally. Is this possible?
As a worse case does Dovecot implement any type of account access policies? Out IT security reviewers are hot on account policies, i.e. lockouts, expiries, and back off attempts.
Thanks Raymond Solution Architect - Orion Health
On August 31, 2017 at 12:41 AM Raymond Sellars Raymond.Sellars@orionhealth.com wrote:
Hi
Looking for some confirmation/direction on how to achieve the following.
We have a requirement to support both SASL PLAIN and DIGEST-MD5 authentication (certification reasons). In addition to this we have an application (webmail) that utilises a master password pattern for access, as the contain web portal provides the necessary authentication.
I have access to users passwords in PLAIN text and looking to utilise the dict lookup mechanism for passwords.
Problem #1
https://wiki2.dovecot.org/Authentication/MultipleDatabases - "Currently the fallback works only with the PLAIN authentication mechanism."
The above not suggests I can't use DIGEST-MD5 with master password configuration, if using more than one passdb setup. I don't understand why there would be a restriction as the password validation should just fall through irrespective.
Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL.
Problem #2 How do I enforce some kind of account access policy
Currently we're backing the authentication with an Identity and Authentication system. I would like to block IMAP access if a user's account is locked out, expired, or inactive. Similarly if there are too many IMAP attempts with the incorrect password I would like the account system wide to be locked out.
With Dict lookup I don't seem a mechanism to keep the IDM system aware of login attempt/failures, since it pulls the plaintext password and validates internally. Is this possible?
As a worse case does Dovecot implement any type of account access policies? Out IT security reviewers are hot on account policies, i.e. lockouts, expiries, and back off attempts.
You can use https://wiki2.dovecot.org/Authentication/Policy to implement complex requirements.
other than that, dovecot will deter brute force on it's own to some degree.
Thanks Raymond Solution Architect - Orion Health
Aki Tuomi Dovecot oy
Thanks
-----Original Message----- From: Aki Tuomi [mailto:aki.tuomi@dovecot.fi] Sent: Friday, 1 September 2017 2:15 AM To: dovecot@dovecot.org; Raymond Sellars Subject: Re: Mixed Autehtnication and password schemes
The above not suggests I can't use DIGEST-MD5 with master password configuration, if using more than one passdb setup. I don't understand why there would be a restriction as the password validation should just fall through irrespective.
Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL.
[Raymond] Unfortunately yes, part of the ONC 2015 Edition requirements. As you say its not really needed but more one of those tick the compliance boxes.
Problem #2 How do I enforce some kind of account access policy
As a worse case does Dovecot implement any type of account access policies? Out IT security reviewers are hot on account policies, i.e. lockouts, expiries, and back off attempts.
You can use https://wiki2.dovecot.org/Authentication/Policy to implement complex requirements.
other than that, dovecot will deter brute force on it's own to some degree.
[Raymond] Thanks, i'll need to upgrade but this definitely addresses the requirement.
Thanks Raymond Solution Architect - Orion Health
Aki Tuomi Dovecot oy
On September 1, 2017 at 2:44 AM Raymond Sellars Raymond.Sellars@orionhealth.com wrote:
Thanks
-----Original Message----- From: Aki Tuomi [mailto:aki.tuomi@dovecot.fi] Sent: Friday, 1 September 2017 2:15 AM To: dovecot@dovecot.org; Raymond Sellars Subject: Re: Mixed Autehtnication and password schemes
The above not suggests I can't use DIGEST-MD5 with master password configuration, if using more than one passdb setup. I don't understand why there would be a restriction as the password validation should just fall through irrespective.
Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL.
[Raymond] Unfortunately yes, part of the ONC 2015 Edition requirements. As you say its not really needed but more one of those tick the compliance boxes.
My condolences. Do they really require it for *master password* too, which makes little sense?
Aki
Hi
No master password isn't required for certification. That more an internal technical design for our Webmail application.
My fall back design is to employ two different dovecot proxies but I suspect I run the risk of mailbox corruption as the director nodes won't be shared.
It's not really necessary with SSL.
This is a good point I'd forgotten to consider. It would allow me to mix master + PLAIN and then isolated DIGEST-MD5 maybe in a different proxy. The practical world vs the theory.
Thanks Raymond -----Original Message----- From: Aki Tuomi [mailto:aki.tuomi@dovecot.fi] Sent: Friday, 1 September 2017 11:32 PM To: dovecot@dovecot.org; Raymond Sellars Subject: RE: Mixed Autehtnication and password schemes
-----Original Message----- From: Aki Tuomi [mailto:aki.tuomi@dovecot.fi] Sent: Friday, 1 September 2017 2:15 AM To: dovecot@dovecot.org; Raymond Sellars Subject: Re: Mixed Autehtnication and password schemes
The above not suggests I can't use DIGEST-MD5 with master password configuration, if using more than one passdb setup. I don't understand why there would be a restriction as the password validation should just fall through irrespective.
Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL.
[Raymond] Unfortunately yes, part of the ONC 2015 Edition requirements. As you say its not really needed but more one of those tick the compliance boxes.
My condolences. Do they really require it for *master password* too, which makes little sense?
Aki
participants (2)
-
Aki Tuomi
-
Raymond Sellars