[Dovecot] Ideas for Webmail/OTP

Frank Behrens frank at pinky.sax.de
Tue Aug 7 12:03:12 EEST 2007 

Steffen Kaiser <skdovecot at smail.inf.fh-bonn-rhein-sieg.de> wrote on 7 Aug 2007 10:26:
> You mean, the client issues LOGIN (with a dummy password), because Dovecot
> needs to aquire the OTP challenge first, this LOGIN attempt is failed,
> but the username can be used to aquire the OTP challenge.  It is reported
> back, via the LOGIN failure string and, secondly, another LOGIN attempt
> is sent, this time with the same username and a real password.

Yes, this was my intention.

> I guess, you'll need to tweak the webmail interface a bit, that this
> sequence is working well.

It's easy: If a login fails the webmailer has to write an error message in any case. Simply 
include the IMAP error response.

> There are time-related OTPs, where the sequence number is derived from the 
> current time. When a client tries a logon, the server calculates plenty of 
> OTPs in the "near" of the current time and adjust itself to the client, in 
> case the device's clock is running too slow or fast.

Of course, this is more sophisticated and more expensive. My proposol uses OPIE - One-
time Passwords In Everything.  But remember: With my proposal you use always the login 
configuration from operating system. If you have a pam module for an electronic one-time 
password generator you can use it with IMAP and webmail without additional changes in 
IMAP- or webmail-server.

> > Solution 3:
> > My proposal: Create a new IMAP command "XSETREMOTEIP". With this IMAP extension a
> > client can set the real IP address of remote client. The access to this command is restricted
> > to the webserver with a new configuration parameter "trusted clients", which holds an IP
> > address with mask.
> 
> Hmm, any clients accessing webmail via the same proxy or from the same 
> NATed organisation will use the same IP, dial-up IPs switch the users more 
> often than anything else. I don't think that restricting by IPs you have 
> no knowlegde about is save.

I meant it inversely. You can allow the usage of "normal" passwords for all IMAP and webmail 
clients in local network and restrict external clients to OTP. With pam configuration you make 
this decision for all logins (ssh, ftp), not only for IMAP with dovecot.

Regards,
   Frank
-- 
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.

More information about the dovecot mailing list