Hi!

~ dovecot --version 2.2.22 (fe789d2)

I am wondering if there is a way to set up virtual users with multiple valid passwords. We want to be able to provide users with device/app-specific passwords for their email accounts, as well as being able to create temporary "access tokens" for technical support when required.

I quickly found out that passdb using passwd-file or an sql-backend does not support returning multiple entries ("Error: passwd-file /etc/dovecot/virtual.passwd: User rye exists more than once").

The documentation mentions that you can pass the plain-text password on to the MySQL-server for verification, and I suppose multiple passwords could could work, given a query like this (pseudo-SQL):

SELECT password FROM account WHERE user = '%u' AND domain = '%d' AND password = TO_BASE64((SHA2('%w', 512));

However, having Dovecot pass the plain-text password and letting the database deal with the hashing and encoding doesn't seem like a very "clean" solution. Preferably, dovecot should be the only piece of software touching the plain-text.

Ideally, I would like the following behavior:

1. passdb results multiple possible hashed passwords for the user
2. dovecot attempts the passwords in order
3. login fails normally if none of the passdb results match

Does anyone have any experience, or tips for setting up this type of behavior?

Other ideas we have touched upon are:

1. Different usernames (eg. 'user_device' or 'user_application')
2. Multiple passdbs(?)

Best regards, Eirik Rye