Am 10.03.2013 11:28, schrieb dovecot.pkoch@dfgh.net:

Dear Dovecot experts,

we have unusual authentication requirements, namely:

• almost all of our user are using a smartcard to connect with our mailserver. Thunderbird is our friend here as it will use the smartcard as an additional certificate store and Thunderbird will do client certificate based authentication when connecting via SSL with a mailserver

• there's no way (at least that I know of) for our iPad users to use a smartcard, so our iPad and iPhone users use OTP token (http://www.gooze.eu/catalog/otp-tokens-oath-0)

For 10 years we are using a very simple POP3-server where I replaced the authentication routines with my own functions and these function are doing the following:

1. if the connection was made without SSL refuse to connect
2. if the client was using a client certificate extract the username from the certificate. Since we cannot stop Thunderbird from sending a username/passowrd-combination we compare the username from the certificate with the username Thunderbird has sent. If the usernames matches we allow access and ignore the password.
3. if the client did not sent a client certificate we calculate the current OneTimePassword of the users OTP-token and compare that with the password Thunderbird has sent. If the passwords matches we allow access. If a OTP-password was validated it can be used for 24 hours so our OTP-users must use their tokens only once a day.

Now we would like to switch from POP3 to IMAP, so here are my questions:

• can Dovecot be CONFIGURED to do the above. I compiled it yesterday and SSL client authentication works as expected. OTP seems to be supported via PAM and I can write a PAM-modul for our OTP-tokens, so OTP would be possible too. But how do I tell Dovecot to do OTP-auth as a fallback for ClientCert-auth.

• I already looked into the sourcecode of Dovecot. Seems like all the authentication routines were built as pluggable modules. Is there any documentation out there on how how to built my own auth-module. Integrating the OTP-auth directly into Dovecot would be a lot easier (for me) than creating a PAM-module, so I would prefer that. If there was interest from other people I would add some configuration options to Dovecot (for example the location of the OTP-token list). Otherwise I would just hardcode everything into the source.

Peter

try read

http://wiki2.dovecot.org/PasswordDatabase/PAM

... This can be useful with e.g. pam_opie to find out which one time password you're supposed to give:

1 LOGIN username otp 1 NO otp-md5 324 0x1578 ext, Response: ...

Best Regards MfG Robert Schetterer

-- [*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich

On 10.3.2013, at 12.28, dovecot.pkoch@dfgh.net wrote:

For 10 years we are using a very simple POP3-server where I replaced the authentication routines with my own functions and these function are doing the following:

1. if the connection was made without SSL refuse to connect
2. if the client was using a client certificate extract the username from the certificate. Since we cannot stop Thunderbird from sending a username/passowrd-combination we compare the username from the certificate with the username Thunderbird has sent. If the usernames matches we allow access and ignore the password.
3. if the client did not sent a client certificate we calculate the current OneTimePassword of the users OTP-token and compare that with the password Thunderbird has sent. If the passwords matches we allow access. If a OTP-password was validated it can be used for 24 hours so our OTP-users must use their tokens only once a day.

Now we would like to switch from POP3 to IMAP, so here are my questions:

• can Dovecot be CONFIGURED to do the above. I compiled it yesterday and SSL client authentication works as expected. OTP seems to be supported via PAM and I can write a PAM-modul for our OTP-tokens, so OTP would be possible too. But how do I tell Dovecot to do OTP-auth as a fallback for ClientCert-auth.

Create a passdb that succeeds if user has a valid SSL client cert. http://wiki2.dovecot.org/Variables has %k which is "valid" if client has it set. There are several ways you can do this .. for example with sqlite do a SELECT that checks for %k. Another possibility is a checkpassword script.

The secondary passdb would then be the OTP.

• I already looked into the sourcecode of Dovecot. Seems like all the authentication routines were built as pluggable modules. Is there any documentation out there on how how to built my own auth-module. Integrating the OTP-auth directly into Dovecot would be a lot easier (for me) than creating a PAM-module, so I would prefer that. If there was interest from other people I would add some configuration options to Dovecot (for example the location of the OTP-token list). Otherwise I would just hardcode everything into the source.

See how the auth process already can build an ldap plugin. For outside sources you can build auth plugins the same way as any other plugins. http://dovecot.org/patches/ has many such example plugins. Or see how Pigeonhole does it with autotools.