[Dovecot] Disable IMAP for ONE user only

Benjamin Podszun dar at darklajid.de
Mon May 5 22:30:15 UTC 2014


On Monday, May 5, 2014 11:49:52 PM CEST, SIW wrote:
> I'm beginning to wonder if I am going about this all wrong :-)

No offense: I'm thinking the same thing. ;-)

> Would it not be easier/better to leave all IMAP/SMTP access in 
> place (for all users) and then just use "one time throw away 
> passwords" for logging in from an internet cafe with Roundcube?

YES!
Yes, that should be possible. It seems that [1] says that dovecot supports 
OTP and S/Key by default, using PAM would allow you to use more than that 
(i.e. plug in a yubikey or whatever). Obviously moving to PAM might not be 
an option with your virtual users.

> Can this be done? So after you login it just deletes the 
> password you have logged in with. Can you have one username with 
> many (throw away) passwords? But keep one password that is used 
> for IMAP/Thunderbird as you don't want that password being 
> deleted/removed from the system!

Well, you certainly can have multiple passwords per user as far as I can 
tell: [2] lists ways to do the 'password verification by sql server' and 
that should allow you to have a way to switch between different passwords 
for the same user. That said, that still sounds .. not that nice. The best 
way would be to support two-factor/OTP in dovecot itself and while the 
latter is documented as 'supported' (again, see [1]), the documentation HOW 
that is going to work seems to be missing. [3]

At the moment I'd say your best bet would be to wait for some dovecot 
developers to chime in and help with the OTP or S/Key stuff. Messing with 
the SQL Query is a hack, ugly and .. well: You still leak your password, if 
password/otp is 'Roundcube only'.

On a sidenote: This guy [4] isn't you, is it? Seems like someone's 
evaluating the same thing (with the same threat model) just now.

Ben

1: http://wiki2.dovecot.org/Authentication/Mechanisms
2: http://wiki2.dovecot.org/AuthDatabase/SQL
3: And boy is searching the wiki evil and .. unintuitive..
4: https://forums.freebsd.org/viewtopic.php?f=43&t=45341


More information about the dovecot mailing list