I did mention OTP for 2FA, and OTP can be indeed Google Authenticator, the reason I'm not that specific is because the documentation isn't :)

PAM can indeed be used for this, I've read some list conversations about this [1], [2]. However, as I mentioned in my first post, I'm interested to know about the internal Dovecot authentication methods. Since using PAM requires local users and I prefer using the virtual users inside Dovecot.

There are several OTP authentication mechanisms in the source code [3], [4], [5]. However, these lack documentation [6]. Therefore, I would like to explore these builtin authentication methods first.

Is there someone in the Dovecot community that can provide some more information about this, or the status of these authentication modules?

[1] https://dovecot.org/pipermail/dovecot/2013-March/088844.html [2] https://dovecot.org/pipermail/dovecot/2007-February/019340.html [3] https://github.com/dovecot/core/blob/master/src/auth/mech-otp.c [4] https://github.com/dovecot/core/blob/master/src/auth/mech-otp-skey-common.c [5] https://github.com/dovecot/core/blob/master/src/auth/password-scheme-otp.c [6] https://doc.dovecot.org/configuration_manual/authentication/authentication_m...

On Tue, 2020-01-07 at 05:54 +0200, dovecot-request@dovecot.org wrote:

You don't say what sort of 2FA you're considering, but wouldn't you just tell Dovecot to use PAM, and then extend PAM to use a 2FA module. For example there's a Google Auth one available in the second link below.

https://doc.dovecot.org/configuration_manual/authentication/pam/ https://github.com/google/google-authenticator-libpam

P. (Not a dovecot expert, although I know a fair amount about Linux)