[Dovecot] Ideas for Webmail/OTP

Timo Sirainen tss at iki.fi
Tue Jul 24 09:42:29 EEST 2007


On Mon, 2007-07-23 at 17:15 +0200, Frank Behrens wrote:
> Solution 1:
> When PAM is configured for IMAP the user can use a one-time-password in the same way 
> as before. The problem is, that the user must know the sequence number for the password 
> (otp challenge), so we need a way to display it. The PAM module supplies the otp challenge 
> in the conversation function, but the challenge is not processed by the IMAP server.
> My proposal: The IMAP server stores the challenge from the conversation function and 
> includes it in the LOGIN response, when the login was not successful. So a user can try a 
> login with a wrong dummy password and get knowlegdge about the current otp sequence.

I'd like to see your patch for this. I've no idea how pam_otp works.

> Solution 3:
> When we configure PAM we can restrict/allow it's use depending on IP address of client. 
> Unfortunately with a webmail client the IMAP client is always the the webserver. It should be 
> possible, that the webserver forwards the client IP address to the IMAP server. Furthermore 
> to use dovecot's login cache as described above in a safe manner, the IP address should be 
> compared, too.
> My proposal: Create a new IMAP command "XSETREMOTEIP". With this IMAP extension a 
> client can set the real IP address of remote client. The access to this command is restricted 
> to the webserver with a new configuration parameter "trusted clients", which holds an IP 
> address with mask.

Cyrus Murder has something similar to this I think. We could make it
compatible with it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070724/1c04f24c/attachment.bin 


More information about the dovecot mailing list