[Dovecot] Disable IMAP for ONE user only
I use MySQL to store my virtual users passwords and I am running the latest version of Dovecot.
What I need to do is have one particular user have ONLY access to their email via Roundcube (webmail) and no IMAP/SMTP access.
Therefore, how do I disable IMAP/SMTP access for just one user?
W dniu 2014-05-05 18:39, SIW pisze:
I use MySQL to store my virtual users passwords and I am running the latest version of Dovecot.
What I need to do is have one particular user have ONLY access to their email via Roundcube (webmail) and no IMAP/SMTP access.
Therefore, how do I disable IMAP/SMTP access for just one user?
Hi! Use variable %s in query (http://wiki2.dovecot.org/Variables ). E.g. you can use new column in table or use CASE in SELECT statement if you don't need to change schema of table. Regards, Marcin
W dniu 2014-05-05 19:21, Marcin Mirosław pisze:
W dniu 2014-05-05 18:39, SIW pisze:
I use MySQL to store my virtual users passwords and I am running the latest version of Dovecot.
What I need to do is have one particular user have ONLY access to their email via Roundcube (webmail) and no IMAP/SMTP access.
Therefore, how do I disable IMAP/SMTP access for just one user?
Hi! Use variable %s in query (http://wiki2.dovecot.org/Variables ). E.g. you can use new column in table or use CASE in SELECT statement if you don't need to change schema of table.
Simpler query could look SELECT foo FROM bar WHERE ... AND (%u !='blocked@user' AND %s != 'imap')
Quoting Marcin Mirosław marcin@mejor.pl:
W dniu 2014-05-05 19:21, Marcin Mirosław pisze:
W dniu 2014-05-05 18:39, SIW pisze:
I use MySQL to store my virtual users passwords and I am running the latest version of Dovecot.
What I need to do is have one particular user have ONLY access to their email via Roundcube (webmail) and no IMAP/SMTP access.
Therefore, how do I disable IMAP/SMTP access for just one user?
Hi! Use variable %s in query (http://wiki2.dovecot.org/Variables ). E.g. you can use new column in table or use CASE in SELECT statement if you don't need to change schema of table.
Simpler query could look SELECT foo FROM bar WHERE ... AND (%u!='blocked@user' AND %s != 'imap')
You can also use Bit Operators directly via SQL - like in vpopmail.
I'm confused. Roundcube's using imap, so how are the %s queries helping? Isn't the real question "How can I limit imap to specific clients/localhost, depending on the user"?
On May 5, 2014 6:39:42 PM CEST, SIW bov@bsdpanic.com wrote:
I use MySQL to store my virtual users passwords and I am running the latest version of Dovecot.
What I need to do is have one particular user have ONLY access to their
email via Roundcube (webmail) and no IMAP/SMTP access.
Therefore, how do I disable IMAP/SMTP access for just one user?
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
http://wiki2.dovecot.org/Variables see: %r / rip
On 05/05/2014 02:05 PM, Benjamin Podszun wrote:
I'm confused. Roundcube's using imap, so how are the %s queries helping? Isn't the real question "How can I limit imap to specific clients/localhost, depending on the user"?
On May 5, 2014 6:39:42 PM CEST, SIW bov@bsdpanic.com wrote:
I use MySQL to store my virtual users passwords and I am running the latest version of Dovecot.
What I need to do is have one particular user have ONLY access to their
email via Roundcube (webmail) and no IMAP/SMTP access.
Therefore, how do I disable IMAP/SMTP access for just one user?
From dovecont.conf :
# Most (but not all) settings can be overridden by different protocols and/or # source/destination IPs by placing the settings inside sections, for example: # protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
So maybe you can even set up an overriding passdb {} inside of a remote x.x.x.x/x {}
On 05/05/2014 02:05 PM, Benjamin Podszun wrote:
I'm confused. Roundcube's using imap, so how are the %s queries helping? Isn't the real question "How can I limit imap to specific clients/localhost, depending on the user"?
On May 5, 2014 6:39:42 PM CEST, SIW bov@bsdpanic.com wrote:
I use MySQL to store my virtual users passwords and I am running the latest version of Dovecot.
What I need to do is have one particular user have ONLY access to their
email via Roundcube (webmail) and no IMAP/SMTP access.
Therefore, how do I disable IMAP/SMTP access for just one user?
Thats a good point.
If I block IMAP/SMTP access to ONE user does that mean that particular user can't use Roundcube anymore?
I basically want one user to ONLY be able to send/receive/view their email in Roundcube and not be able to send/receive/view email from any other client (ie: Thunderbird, K9 email on Andriod, Outlook etc).
On 05/05/2014 19:05, Benjamin Podszun wrote:
I'm confused. Roundcube's using imap, so how are the %s queries helping? Isn't the real question "How can I limit imap to specific clients/localhost, depending on the user"?
On May 5, 2014 6:39:42 PM CEST, SIW bov@bsdpanic.com wrote:
I use MySQL to store my virtual users passwords and I am running the latest version of Dovecot.
What I need to do is have one particular user have ONLY access to their
email via Roundcube (webmail) and no IMAP/SMTP access.
Therefore, how do I disable IMAP/SMTP access for just one user?
On 5/5/2014 1:05 PM, SIW wrote:
Thats a good point.
If I block IMAP/SMTP access to ONE user does that mean that particular user can't use Roundcube anymore?
That is correct. If you block IMAP, then webmail will not work.
Webmail clients are just IMAP proxies. If the roundcube you want the user to utilize is running on a specific server, then you can allow IMAP only from the IP address of that server.
However, usually when I hear an admin wanting to restrict only one user to some limited access option, it is usually a policy issue and not a technical one. Trying to employ a technical solution is usually the wrong way of doing it.
Why are you trying to limit just this one user?
Dem
I'm glad you asked. Heres the challenge:
When I travel overseas I sometimes need to use a computer at an internet cafe to access my email via a browser. I use Googles Authenticator to generate a OTP that I use with Roundcube so I have two factor authentication. All seems secure right? Wrong. If someone records my login credentials on the untrusted internet computer then they can use those login credentials to access my email via IMAP (ie: Thunderbird). (its happened before)
Yes, I know I should use my own trusted device but in some cases that just is NOT an option.
Therefore, how can I access my email via a browser that is safe from keyloggers at internet cafes? I'm open to all ideas at this point!
What I was originally thinking was having a second copy of my mailbox that was updated every hour (from my live mailbox) and that I had a separate login to it that ONLY had rights to read/send via Roundcube (ie: No access with IMAP clients such as Thunderbird, K9 etc).
I was thinking of using Application Specific Passwords but this doesn't solve the issue either as once sometime records my login credentials that can use it to access IMAP.
Roundcube is secure in all of this...its IMAP that I am battling with securing...
On 05/05/2014 21:13, Professa Dementia wrote:
On 5/5/2014 1:05 PM, SIW wrote:
Thats a good point.
If I block IMAP/SMTP access to ONE user does that mean that particular user can't use Roundcube anymore? That is correct. If you block IMAP, then webmail will not work.
Webmail clients are just IMAP proxies. If the roundcube you want the user to utilize is running on a specific server, then you can allow IMAP only from the IP address of that server.
However, usually when I hear an admin wanting to restrict only one user to some limited access option, it is usually a policy issue and not a technical one. Trying to employ a technical solution is usually the wrong way of doing it.
Why are you trying to limit just this one user?
Dem
Quoting Professa Dementia professa@dementianati.com:
On 5/5/2014 1:05 PM, SIW wrote:
Thats a good point.
If I block IMAP/SMTP access to ONE user does that mean that particular user can't use Roundcube anymore?
That is correct. If you block IMAP, then webmail will not work.
Not necessarily.
From: http://wiki2.dovecot.org/AuthDatabase/VPopMail
"logically this means: show password for user=%n at domain=%d when imap on the account is not disabled and connection is not comming from localhost when webmail access on the account is not disabled and if imap for the domain is not disabled and (connection is not comming from localhost when webmail access for the domain is not disabled) when vlimits are not overriden on the account " # password_query = select pw_passwd as password FROM vpopmail LEFT JOIN limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid & 4)) and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );
So construct your SQL query in a way that your bit field in MySQL disables all access for a single user except when the source IP is your webmail server.
If you want multiple passwords, you can modify the password_query with iif statements based on the source IP or protocol.
Like: select iif(%r == '127.0.0.1' & pw_name== 'yourname' & pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from vpopmail ..... Of course that's specific to the vpopmail table... modify as needed for your own table structure...
Rick
Hi Rick
I really appreciate your response!
Unfortunately my SQL is, how can we say, very basic. I built my server using the Linode guide at:
https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql
Currently my password query looks as follows:
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
I'm not familiar with VPopMail, would I need it in this situation? Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.
On 05/05/2014 21:32, Rick Romero wrote:
Quoting Professa Dementia professa@dementianati.com:
On 5/5/2014 1:05 PM, SIW wrote:
Thats a good point.
If I block IMAP/SMTP access to ONE user does that mean that particular user can't use Roundcube anymore?
That is correct. If you block IMAP, then webmail will not work.
Not necessarily.
From: http://wiki2.dovecot.org/AuthDatabase/VPopMail
"logically this means: show password for user=%n at domain=%d when imap on the account is not disabled and connection is not comming from localhost when webmail access on the account is not disabled and if imap for the domain is not disabled and (connection is not comming from localhost when webmail access for the domain is not disabled) when vlimits are not overriden on the account " # password_query = select pw_passwd as password FROM vpopmail LEFT JOIN limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid & 4)) and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );
So construct your SQL query in a way that your bit field in MySQL disables all access for a single user except when the source IP is your webmail server.
If you want multiple passwords, you can modify the password_query with iif statements based on the source IP or protocol.
Like: select iif(%r == '127.0.0.1' & pw_name== 'yourname' & pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from vpopmail ..... Of course that's specific to the vpopmail table... modify as needed for your own table structure...
Rick
You don't need vpopmail - that's just an example. It has it's own table structure.
Are you the only user - I missed that part of the question. If so, ignore the 'Bit Operator' part, you won't need it. That's to allow different types of access per user (and makes the query that much more complex).
Change your user table structure and add a 2nd password field named 'imap_password', then change your Dovecot query SQL to the below:
SELECT email as user, if(%r == '127.0.0.1', password,imap_password) as password FROM virtual_users WHERE email='%u';
That will return the contents of 'password' when you use webmail (assuming it's all installed on one box), and 'imap_password' when you connect from any other system.
If you're unfamiliar with modifing MySQL tables, install phpmyadmin (and lock it down) or another visual MySQL client.
If there are multiple users, you'll need to either change the query to just match your username or add another field to do a bit check and make the query more complex... :)
Rick
Quoting SIW bov@bsdpanic.com:
Hi Rick
I really appreciate your response!
Unfortunately my SQL is, how can we say, very basic. I built my server using the Linode guide at:
https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql
Currently my password query looks as follows:
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
I'm not familiar with VPopMail, would I need it in this situation? Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.
On 05/05/2014 21:32, Rick Romero wrote:
Quoting Professa Dementia professa@dementianati.com:
On 5/5/2014 1:05 PM, SIW wrote:
Thats a good point.
If I block IMAP/SMTP access to ONE user does that mean that particular user can't use Roundcube anymore?
That is correct. If you block IMAP, then webmail will not work.
Not necessarily.
From: http://wiki2.dovecot.org/AuthDatabase/VPopMail
"logically this means: show password for user=%n at domain=%d when imap on the account is not disabled and connection is not comming from localhost when webmail access on the account is not disabled and if imap for the domain is not disabled and (connection is not comming from localhost when webmail access for the domain is not disabled) when vlimits are not overriden on the account " # password_query = select pw_passwd as password FROM vpopmail LEFT JOIN limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid & 4)) and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );
So construct your SQL query in a way that your bit field in MySQL disables all access for a single user except when the source IP is your webmail server.
If you want multiple passwords, you can modify the password_query with iif statements based on the source IP or protocol.
Like: select iif(%r == '127.0.0.1' & pw_name== 'yourname' & pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from vpopmail ..... Of course that's specific to the vpopmail table... modify as needed for your own table structure... Rick
Thanks Rick!
I have a handful of users on the server but I am the only one requiring secure access to my mail while travelling. Everything is installed on one box. I will give you recommendation a try so thank you for that.
One option I was thinking about is as well, is it possible to use "throw away one time passwords" with my setup? As described here:
http://blog.kevinvandervlist.nl/projects/roundcube-static-otp/
It would be *perfect* if I could access my mail "normally" from an IMAP client (Thunderbord/K9) using a strong password and then use a OTP (using Googles Authenticator) with a "throw away password" that can ONLY be used once!
This would allow me to login at an internet cafe with a throw away password and not care if its being recorded as it could only be used once anyway and couldn't be used with IMAP. is this a possibility?
I'm just trying to consider all the ideas :-)
On 05/05/2014 22:13, Rick Romero wrote:
You don't need vpopmail - that's just an example. It has it's own table structure.
Are you the only user - I missed that part of the question. If so, ignore the 'Bit Operator' part, you won't need it. That's to allow different types of access per user (and makes the query that much more complex).
Change your user table structure and add a 2nd password field named 'imap_password', then change your Dovecot query SQL to the below:
SELECT email as user, if(%r == '127.0.0.1', password,imap_password) as password FROM virtual_users WHERE email='%u';
That will return the contents of 'password' when you use webmail (assuming it's all installed on one box), and 'imap_password' when you connect from any other system.
If you're unfamiliar with modifing MySQL tables, install phpmyadmin (and lock it down) or another visual MySQL client.
If there are multiple users, you'll need to either change the query to just match your username or add another field to do a bit check and make the query more complex... :)
Rick
Quoting SIW bov@bsdpanic.com:
Hi Rick
I really appreciate your response!
Unfortunately my SQL is, how can we say, very basic. I built my server using the Linode guide at:
https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql
Currently my password query looks as follows:
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
I'm not familiar with VPopMail, would I need it in this situation? Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.
On 05/05/2014 21:32, Rick Romero wrote:
Quoting Professa Dementia professa@dementianati.com:
On 5/5/2014 1:05 PM, SIW wrote:
Thats a good point.
If I block IMAP/SMTP access to ONE user does that mean that particular user can't use Roundcube anymore?
That is correct. If you block IMAP, then webmail will not work.
Not necessarily.
From: http://wiki2.dovecot.org/AuthDatabase/VPopMail
"logically this means: show password for user=%n at domain=%d when imap on the account is not disabled and connection is not comming from localhost when webmail access on the account is not disabled and if imap for the domain is not disabled and (connection is not comming from localhost when webmail access for the domain is not disabled) when vlimits are not overriden on the account " # password_query = select pw_passwd as password FROM vpopmail LEFT JOIN limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid & 4)) and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );
So construct your SQL query in a way that your bit field in MySQL disables all access for a single user except when the source IP is your webmail server.
If you want multiple passwords, you can modify the password_query with iif statements based on the source IP or protocol.
Like: select iif(%r == '127.0.0.1' & pw_name== 'yourname' & pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from vpopmail ..... Of course that's specific to the vpopmail table... modify as needed for your own table structure... Rick
Duh. 'ONE user only' would be the clue. So your query would be like: SELECT email as user, if(%r = '127.0.0.1' & user = 'yourloginname', password,imap_password) as password FROM virtual_users WHERE email='%u';
Also, test ! and Google! I'm throwing this out off the top of my head.. I think the double == was wrong.
The best way test this is just replace the %u with your username and %r with either 127.0.0.1 or anything else on the MySQL command line and make sure what's returned is the password you're expecting.
Rick
Quoting Rick Romero rick@havokmon.com:
You don't need vpopmail - that's just an example. It has it's own table structure.
Are you the only user - I missed that part of the question. If so, ignore the 'Bit Operator' part, you won't need it. That's to allow different types of access per user (and makes the query that much more complex).
Change your user table structure and add a 2nd password field named 'imap_password', then change your Dovecot query SQL to the below:
SELECT email as user, if(%r == '127.0.0.1', password,imap_password) as password FROM virtual_users WHERE email='%u';
That will return the contents of 'password' when you use webmail (assuming it's all installed on one box), and 'imap_password' when you connect from any other system.
If you're unfamiliar with modifing MySQL tables, install phpmyadmin (and lock it down) or another visual MySQL client.
If there are multiple users, you'll need to either change the query to just match your username or add another field to do a bit check and make the query more complex... :)
Rick
Quoting SIW bov@bsdpanic.com:
Hi Rick
I really appreciate your response!
Unfortunately my SQL is, how can we say, very basic. I built my server using the Linode guide at:
https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql
Currently my password query looks as follows:
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
I'm not familiar with VPopMail, would I need it in this situation? Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.
On 05/05/2014 21:32, Rick Romero wrote:
Quoting Professa Dementia professa@dementianati.com:
On 5/5/2014 1:05 PM, SIW wrote:
Thats a good point.
If I block IMAP/SMTP access to ONE user does that mean that
particular
user can't use Roundcube anymore?
That is correct. If you block IMAP, then webmail will not work.
Not necessarily.
From: http://wiki2.dovecot.org/AuthDatabase/VPopMail
"logically this means: show password for user=%n at domain=%d when imap on the account is not disabled and connection is not comming from localhost when webmail access on the account is not disabled and if imap for the domain is not disabled and (connection is not comming from localhost
when
webmail access for the domain is not disabled) when vlimits are not overriden on the account " # password_query = select pw_passwd as password FROM vpopmail LEFT JOIN limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid &
4))
and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );
So construct your SQL query in a way that your bit field in MySQL disables all access for a single user except when the source IP is your webmail server.
If you want multiple passwords, you can modify the password_query with iif statements based on the source IP or protocol.
Like: select iif(%r == '127.0.0.1' & pw_name== 'yourname' & pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from vpopmail ..... Of course that's specific to the vpopmail table... modify as needed for your own table structure... Rick
I'm beginning to wonder if I am going about this all wrong :-)
Would it not be easier/better to leave all IMAP/SMTP access in place (for all users) and then just use "one time throw away passwords" for logging in from an internet cafe with Roundcube?
Can this be done? So after you login it just deletes the password you have logged in with. Can you have one username with many (throw away) passwords? But keep one password that is used for IMAP/Thunderbird as you don't want that password being deleted/removed from the system!
On 05/05/2014 22:33, Rick Romero wrote:
Duh. 'ONE user only' would be the clue. So your query would be like: SELECT email as user, if(%r = '127.0.0.1' & user = 'yourloginname', password,imap_password) as password FROM virtual_users WHERE email='%u';
Also, test ! and Google! I'm throwing this out off the top of my head.. I think the double == was wrong.
The best way test this is just replace the %u with your username and %r with either 127.0.0.1 or anything else on the MySQL command line and make sure what's returned is the password you're expecting.
Rick
On Monday, May 5, 2014 11:49:52 PM CEST, SIW wrote:
I'm beginning to wonder if I am going about this all wrong :-)
No offense: I'm thinking the same thing. ;-)
Would it not be easier/better to leave all IMAP/SMTP access in place (for all users) and then just use "one time throw away passwords" for logging in from an internet cafe with Roundcube?
YES! Yes, that should be possible. It seems that [1] says that dovecot supports OTP and S/Key by default, using PAM would allow you to use more than that (i.e. plug in a yubikey or whatever). Obviously moving to PAM might not be an option with your virtual users.
Can this be done? So after you login it just deletes the password you have logged in with. Can you have one username with many (throw away) passwords? But keep one password that is used for IMAP/Thunderbird as you don't want that password being deleted/removed from the system!
Well, you certainly can have multiple passwords per user as far as I can tell: [2] lists ways to do the 'password verification by sql server' and that should allow you to have a way to switch between different passwords for the same user. That said, that still sounds .. not that nice. The best way would be to support two-factor/OTP in dovecot itself and while the latter is documented as 'supported' (again, see [1]), the documentation HOW that is going to work seems to be missing. [3]
At the moment I'd say your best bet would be to wait for some dovecot developers to chime in and help with the OTP or S/Key stuff. Messing with the SQL Query is a hack, ugly and .. well: You still leak your password, if password/otp is 'Roundcube only'.
On a sidenote: This guy [4] isn't you, is it? Seems like someone's evaluating the same thing (with the same threat model) just now.
Ben
1: http://wiki2.dovecot.org/Authentication/Mechanisms 2: http://wiki2.dovecot.org/AuthDatabase/SQL 3: And boy is searching the wiki evil and .. unintuitive.. 4: https://forums.freebsd.org/viewtopic.php?f=43&t=45341
On 5/5/2014 3:30 PM, Benjamin Podszun wrote:
On Monday, May 5, 2014 11:49:52 PM CEST, SIW wrote:
I'm beginning to wonder if I am going about this all wrong :-)
No offense: I'm thinking the same thing. ;-)
Would it not be easier/better to leave all IMAP/SMTP access in place (for all users) and then just use "one time throw away passwords" for logging in from an internet cafe with Roundcube?
Have you considered Yubikey?
https://www.yubico.com/products/yubikey-hardware/yubikey/
The USB device looks like a keyboard when plugged in. Plug it in, type in your login, highlight the password field, then press the button on the Yubikey. It "types" in the OTP. Click the login button.
It run on many OS's, including Linux where it interfaces with PAM. A simple PAM config change installs it.
https://www.yubico.com/applications/computer-login/linux/
You can even (and I do recommend that you) use it with two factor, so you enter a normal password, plus the OTP (something that you know, plus something that you have). This would take a small change to Roundcube, which is beyond scope for this list.
Dem
I haven't considered Yubikey but I was considering this:
I'm not sure if these USB virtual keyboards are the best option as some internet cafes won't let you plug in USB devices or you don't have the rights to install it (I know they say it doesn't require drivers but some machines are locked down good)
From what I have read it sounds like I need to have two passwords for one login...one for Roundcube (with OTP) and one for IMAP access. I think the key to this is to ONLY allow the IMAP password to be used with IMAP and for the Roundcube password (with OTP) to ONLY have access to Roundcube. That way if the Roundcube password gets recorded/keylogged then they can't use it with IMAP. Is this possible? (ie: bind/enforce a particular password to one type of service)
Another option, is it possible to have my main account and use it with IMAP but have a SECOND set of login credentials that I only use for Roundcube but can access my mailbox of the the other account?
I'm still battling with this!
On 06/05/2014 00:06, Professa Dementia wrote:
On 5/5/2014 3:30 PM, Benjamin Podszun wrote:
On Monday, May 5, 2014 11:49:52 PM CEST, SIW wrote:
I'm beginning to wonder if I am going about this all wrong :-) No offense: I'm thinking the same thing. ;-)
Would it not be easier/better to leave all IMAP/SMTP access in place (for all users) and then just use "one time throw away passwords" for logging in from an internet cafe with Roundcube? Have you considered Yubikey?
https://www.yubico.com/products/yubikey-hardware/yubikey/
The USB device looks like a keyboard when plugged in. Plug it in, type in your login, highlight the password field, then press the button on the Yubikey. It "types" in the OTP. Click the login button.
It run on many OS's, including Linux where it interfaces with PAM. A simple PAM config change installs it.
https://www.yubico.com/applications/computer-login/linux/
You can even (and I do recommend that you) use it with two factor, so you enter a normal password, plus the OTP (something that you know, plus something that you have). This would take a small change to Roundcube, which is beyond scope for this list.
Dem
On Tuesday, May 6, 2014 9:26:54 AM CEST, SIW wrote:
I haven't considered Yubikey but I was considering this:
I'm not sure if these USB virtual keyboards are the best option as some internet cafes won't let you plug in USB devices or you don't have the rights to install it (I know they say it doesn't require drivers but some machines are locked down good)
I'd be surprised if these machines wouldn't support plain USB keyboards. Probably the keyboard you'll use at these machines isn't PS/2 anymore..
From what I have read it sounds like I need to have two passwords for one login...one for Roundcube (with OTP) and one for IMAP access. I think the key to this is to ONLY allow the IMAP password to be used with IMAP and for the Roundcube password (with OTP) to ONLY have access to Roundcube. That way if the Roundcube password gets recorded/keylogged then they can't use it with IMAP. Is this possible? (ie: bind/enforce a particular password to one type of service)
I think you're confused. Take a step back. You came with a ~strange~ requirement (see subject, by now you understand that 'disable imap for one user' isn't what you want). You provided not enough details to proceed and I think you are still not quite sure what you want to do here.
The thought process you outline above isn't clear. I _assume_ (note: Please confirm/deny) you looked at OTP solutions that are roundcube only, i.e. that are implemented in PHP. That'd mean that there's no OTP support in your dovecot setup and plain/direct imap connections use nothing but your regular password. Furthermore it seems that you confuse/mix OTPs with two-factor authentication and assume the latter with the Roundcube-only setup I believe to understand above. That is, you log in to your Roundcube site with
- your regular password AND
- something else (call it OTP)
Only under these circumstances it makes sense that you consider OTPs to be broken for your threat model: A keylogger has now your regular password and a useless OTP, but needs only the regular password for dovecot because the OTP support is bolted on/a hack in the wrong place.
I still think you want OTP support in dovecot itself. It might be possible to hack the Roundcube thing (still leaning heavily on my assumptions above) to require _just_ a OTP, but that'd require Roundcube to be able to login without you transmitting your real password. That'd fix the hack for 'someone logged my keys', but isn't much of an improvement overall.
Another option, is it possible to have my main account and use it with IMAP but have a SECOND set of login credentials that I only use for Roundcube but can access my mailbox of the the other account?
Yes, that would be possible and I pointed to a specific part of the documentation for that. You could, without too much effort, support accounts with multiple passwords, whatever that would be good for.
I'm still battling with this!
See above: Please reflect a moment, check the facts you provided and fill in the missing details.
On 06/05/2014 00:06, Professa Dementia wrote:
On 5/5/2014 3:30 PM, Benjamin Podszun wrote: ...
Hi Benjamin
Thanks for your input.
I guess I need to take a step back and define some requirements. Currently I have too many options running through my head which has overwhelmed me and is not helping! You are correct in saying that the subject of this post is now incorrect. Maybe is should now be: Two factor for Dovecot and Roundcube for secure remote access
First of all I don't want any of the authentication options to change for all current users. I am the *only* user that requires secure access to webmail while travelling overseas.
So the requirements are:
For all users (except myself) allow them to continue using the system as it is
For me (and possibly some new users in the future), allow a secure way of authenticating with Roundcube so that if the password is recorded with a keylogger, access to my mailbox via IMAP is not possible. (NB: When I say IMAP, I mean non-Roundcibe/HTTP access to my mailbox)
Email clients include: Thunderbird, Outlook, K9 on Android and Roundcube
Yes, I have looked at OTP for Roundcube and currently use Googles Authenticator which works nicely in securing Roundcube ONLY. The OTP AND password is required to login. The OTP is generate on my Android phone.
From what I have gathered, the options for securing logging in from an untrusted machine are:
Use throw away passwords - ie: passwords that can only be used once and can ONLY be used for logging into Roundcube
Use OTP for Dovecot AND Roundcube - I have no idea how to do this
Have a copy of my mailbox (that gets synced with a cron job) and have a completely separate login to access this mailbox. This login will ONLY be used when using Roundcube from an untrusted machine and will NOT be allowed IMAP access (this can be done in the password_query I think). Or use two login accounts to the same mailbox maybe but one account is used for travelling and can't access IMAP?
The important thing here is that if/when the password gets recorded while logging into Roundcube that it can NOT be used to access my mailbox from (say) Thunderbird. Also OTP should not be enforced for the other users (ie: it should be optional).
Does that clarify? Sorry if I'm all over the place but there doesn't seem to be a clear/simple way to achieve what I want. Feel free to ask me more questions and I will try my best to answer so that it clarifies things.
Thank you.
PS: Regarding USB virtual keyboards (like Yubikey), I'd like to avoid them if possible as you can't always connect a USB device to a machine in an internet cafe (sometimes they physically lock the USB ports so they can't be used).
On 06/05/2014 08:44, Benjamin Podszun wrote:
On Tuesday, May 6, 2014 9:26:54 AM CEST, SIW wrote:
I haven't considered Yubikey but I was considering this:
I'm not sure if these USB virtual keyboards are the best option as some internet cafes won't let you plug in USB devices or you don't have the rights to install it (I know they say it doesn't require drivers but some machines are locked down good)
I'd be surprised if these machines wouldn't support plain USB keyboards. Probably the keyboard you'll use at these machines isn't PS/2 anymore..
From what I have read it sounds like I need to have two passwords for one login...one for Roundcube (with OTP) and one for IMAP access. I think the key to this is to ONLY allow the IMAP password to be used with IMAP and for the Roundcube password (with OTP) to ONLY have access to Roundcube. That way if the Roundcube password gets recorded/keylogged then they can't use it with IMAP. Is this possible? (ie: bind/enforce a particular password to one type of service)
I think you're confused. Take a step back. You came with a ~strange~ requirement (see subject, by now you understand that 'disable imap for one user' isn't what you want). You provided not enough details to proceed and I think you are still not quite sure what you want to do here.
The thought process you outline above isn't clear. I _assume_ (note: Please confirm/deny) you looked at OTP solutions that are roundcube only, i.e. that are implemented in PHP. That'd mean that there's no OTP support in your dovecot setup and plain/direct imap connections use nothing but your regular password. Furthermore it seems that you confuse/mix OTPs with two-factor authentication and assume the latter with the Roundcube-only setup I believe to understand above. That is, you log in to your Roundcube site with
- your regular password AND
- something else (call it OTP)
Only under these circumstances it makes sense that you consider OTPs to be broken for your threat model: A keylogger has now your regular password and a useless OTP, but needs only the regular password for dovecot because the OTP support is bolted on/a hack in the wrong place.
I still think you want OTP support in dovecot itself. It might be possible to hack the Roundcube thing (still leaning heavily on my assumptions above) to require _just_ a OTP, but that'd require Roundcube to be able to login without you transmitting your real password. That'd fix the hack for 'someone logged my keys', but isn't much of an improvement overall.
Another option, is it possible to have my main account and use it with IMAP but have a SECOND set of login credentials that I only use for Roundcube but can access my mailbox of the the other account?
Yes, that would be possible and I pointed to a specific part of the documentation for that. You could, without too much effort, support accounts with multiple passwords, whatever that would be good for.
I'm still battling with this!
See above: Please reflect a moment, check the facts you provided and fill in the missing details.
After giving this some thought and taking a step back I followed Rick Romeros advice and I think I have a working proof of concept on my test server :-)
Here are the steps I have followed, I am interested in hearing peoples thoughts on this or some feedback:
- Created an extra column in my users tables that does authentication and added a second password. The table looks like this now after running the SQL statements to create the column and add a second password for my account:
ALTER TABLE virtual_users ADD travel_password VARCHAR(106);
UPDATE mailserver.virtual_users SET travel_password=ENCRYPT('newpassword',concat('$6$',substring(sha(rand()), -16))) WHERE email='user@domain.com';
+----+-----------------+--------------------------------------------------------------------------+---------------------------------+-------------------------+
| id | domain_id | password | email
| travel_password | <------- This end column
is new
+----+------------------+------------------------------------------------------------------------------------------------------------+-------------------------+
| 6 | 1 | $6$8e5d84a4ee689211$f
| user@domain.com | $6$56095ed3867|
+----+-----------------+--------------------------------------------------------------------------+----------------------------------+-------------------------+
NB: I have shortened the passwords for readability
- I then edited the password_query in /usr/local/etc/dovecot/dovecot-sql.conf.ext for Dovecot to:
password_query = SELECT email as user, if('%r' = '127.0.0.1' AND email ='user@domain.com', travel_password,password) as password FROM virtual_users WHERE email='%u';
and restarted Dovecot
This seems to be working as I would expect it to :-) If I login to Roundcube as user@domain.com with my travel_password it logs me in. If I login as the same user but use the "normal" password it doesn't log me in. If I use Thunderbird I can only use the "normal" password (using the travel_password fails as I would expect it to).
So now I can login from an untrusted internet cafe machine, and they can record my login credentials and my mailbox will be safe! When I use Roundcube, the OTP AND the travel_password are required for login. Since the hacker can't reuse the OTP, the login details are safe. They also can't use the travel_password for IMAP access.
I realise this is a bit of a hack and only works for a handful of users but for my setup it (seems) perfect!
Comments and feedback are welcome! Thanks Rick and to everyone for their valuable input.
On 06/05/2014 13:38, SIW wrote:
Hi Benjamin
Thanks for your input.
I guess I need to take a step back and define some requirements. Currently I have too many options running through my head which has overwhelmed me and is not helping! You are correct in saying that the subject of this post is now incorrect. Maybe is should now be: Two factor for Dovecot and Roundcube for secure remote access
First of all I don't want any of the authentication options to change for all current users. I am the *only* user that requires secure access to webmail while travelling overseas.
So the requirements are:
For all users (except myself) allow them to continue using the system as it is
For me (and possibly some new users in the future), allow a secure way of authenticating with Roundcube so that if the password is recorded with a keylogger, access to my mailbox via IMAP is not possible. (NB: When I say IMAP, I mean non-Roundcibe/HTTP access to my mailbox)
Email clients include: Thunderbird, Outlook, K9 on Android and Roundcube
Yes, I have looked at OTP for Roundcube and currently use Googles Authenticator which works nicely in securing Roundcube ONLY. The OTP AND password is required to login. The OTP is generate on my Android phone.
From what I have gathered, the options for securing logging in from an untrusted machine are:
Use throw away passwords - ie: passwords that can only be used once and can ONLY be used for logging into Roundcube
Use OTP for Dovecot AND Roundcube - I have no idea how to do this
Have a copy of my mailbox (that gets synced with a cron job) and have a completely separate login to access this mailbox. This login will ONLY be used when using Roundcube from an untrusted machine and will NOT be allowed IMAP access (this can be done in the password_query I think). Or use two login accounts to the same mailbox maybe but one account is used for travelling and can't access IMAP?
The important thing here is that if/when the password gets recorded while logging into Roundcube that it can NOT be used to access my mailbox from (say) Thunderbird. Also OTP should not be enforced for the other users (ie: it should be optional).
Does that clarify? Sorry if I'm all over the place but there doesn't seem to be a clear/simple way to achieve what I want. Feel free to ask me more questions and I will try my best to answer so that it clarifies things.
Thank you.
PS: Regarding USB virtual keyboards (like Yubikey), I'd like to avoid them if possible as you can't always connect a USB device to a machine in an internet cafe (sometimes they physically lock the USB ports so they can't be used).
On 06/05/2014 08:44, Benjamin Podszun wrote:
On Tuesday, May 6, 2014 9:26:54 AM CEST, SIW wrote:
I haven't considered Yubikey but I was considering this:
I'm not sure if these USB virtual keyboards are the best option as some internet cafes won't let you plug in USB devices or you don't have the rights to install it (I know they say it doesn't require drivers but some machines are locked down good)
I'd be surprised if these machines wouldn't support plain USB keyboards. Probably the keyboard you'll use at these machines isn't PS/2 anymore..
From what I have read it sounds like I need to have two passwords for one login...one for Roundcube (with OTP) and one for IMAP access. I think the key to this is to ONLY allow the IMAP password to be used with IMAP and for the Roundcube password (with OTP) to ONLY have access to Roundcube. That way if the Roundcube password gets recorded/keylogged then they can't use it with IMAP. Is this possible? (ie: bind/enforce a particular password to one type of service)
I think you're confused. Take a step back. You came with a ~strange~ requirement (see subject, by now you understand that 'disable imap for one user' isn't what you want). You provided not enough details to proceed and I think you are still not quite sure what you want to do here.
The thought process you outline above isn't clear. I _assume_ (note: Please confirm/deny) you looked at OTP solutions that are roundcube only, i.e. that are implemented in PHP. That'd mean that there's no OTP support in your dovecot setup and plain/direct imap connections use nothing but your regular password. Furthermore it seems that you confuse/mix OTPs with two-factor authentication and assume the latter with the Roundcube-only setup I believe to understand above. That is, you log in to your Roundcube site with
- your regular password AND
- something else (call it OTP)
Only under these circumstances it makes sense that you consider OTPs to be broken for your threat model: A keylogger has now your regular password and a useless OTP, but needs only the regular password for dovecot because the OTP support is bolted on/a hack in the wrong place.
I still think you want OTP support in dovecot itself. It might be possible to hack the Roundcube thing (still leaning heavily on my assumptions above) to require _just_ a OTP, but that'd require Roundcube to be able to login without you transmitting your real password. That'd fix the hack for 'someone logged my keys', but isn't much of an improvement overall.
Another option, is it possible to have my main account and use it with IMAP but have a SECOND set of login credentials that I only use for Roundcube but can access my mailbox of the the other account?
Yes, that would be possible and I pointed to a specific part of the documentation for that. You could, without too much effort, support accounts with multiple passwords, whatever that would be good for.
I'm still battling with this!
See above: Please reflect a moment, check the facts you provided and fill in the missing details.
Another option I was thinking about is:
Can you have "throw away one time passwords" that you use for logging into Roundcube only?
SIW skrev den 2014-05-05 18:39:
I use MySQL to store my virtual users passwords and I am running the latest version of Dovecot.
What I need to do is have one particular user have ONLY access to their email via Roundcube (webmail) and no IMAP/SMTP access.
Therefore, how do I disable IMAP/SMTP access for just one user?
its not a roundcube question
but:
http://wiki2.dovecot.org/Authentication/RestrictAccess
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
setup that user to have allow_nets 127.0.0.1 with is roundcube imho
solved ?`
participants (8)
-
Benjamin Podszun
-
Benny Pedersen
-
Gedalya
-
Marcin Mirosław
-
Professa Dementia
-
Rick Romero
-
Sean Wilson
-
SIW