[Dovecot] Disable IMAP for ONE user only

Benjamin Podszun dar at darklajid.de
Tue May 6 07:44:33 UTC 2014 

On Tuesday, May 6, 2014 9:26:54 AM CEST, SIW wrote:
> I haven't considered Yubikey but I was considering this:
>
> http://www.s-crib.com/
>
> I'm not sure if these USB virtual keyboards are the best option 
> as some internet cafes won't let you plug in USB devices or you 
> don't have the rights to install it (I know they say it doesn't 
> require drivers but some machines are locked down good)

I'd be surprised if these machines wouldn't support plain USB keyboards. 
Probably the keyboard you'll use at these machines isn't PS/2 anymore..

>  From what I have read it sounds like I need to have two 
> passwords for one login...one for Roundcube (with OTP) and one 
> for IMAP access. I think the key to this is to ONLY allow the 
> IMAP password to be used with IMAP and for the Roundcube 
> password (with OTP) to ONLY have access to Roundcube. That way 
> if the Roundcube password gets recorded/keylogged then they 
> can't use it with IMAP. Is this possible? (ie: bind/enforce a 
> particular password to one type of service)

I think you're confused. Take a step back. You came with a ~strange~ 
requirement (see subject, by now you understand that 'disable imap for one 
user' isn't what you want). You provided not enough details to proceed and 
I think you are still not quite sure what you want to do here.

The thought process you outline above isn't clear. I _assume_ (note: Please 
confirm/deny) you looked at OTP solutions that are roundcube only, i.e. 
that are implemented in PHP. That'd mean that there's no OTP support in 
your dovecot setup and plain/direct imap connections use nothing but your 
regular password. Furthermore it seems that you confuse/mix OTPs with 
two-factor authentication and assume the latter with the Roundcube-only 
setup I believe to understand above. That is, you log in to your Roundcube 
site with
- your regular password AND
- something else (call it OTP)

Only under these circumstances it makes sense that you consider OTPs to be 
broken for your threat model: A keylogger has now your regular password and 
a useless OTP, but needs only the regular password for dovecot because the 
OTP support is bolted on/a hack in the wrong place.

I still think you want OTP support in dovecot itself. It might be possible 
to hack the Roundcube thing (still leaning heavily on my assumptions above) 
to require _just_ a OTP, but that'd require Roundcube to be able to login 
without you transmitting your real password. That'd fix the hack for 
'someone logged my keys', but isn't much of an improvement overall.

> Another option, is it possible to have my main account and use 
> it with IMAP but have a SECOND set of login credentials that I 
> only use for Roundcube but can access my mailbox of the the 
> other account?

Yes, that would be possible and I pointed to a specific part of the 
documentation for that. You could, without too much effort, support 
accounts with multiple passwords, whatever that would be good for.

> I'm still battling with this!

See above: Please reflect a moment, check the facts you provided and fill 
in the missing details.

> On 06/05/2014 00:06, Professa Dementia wrote:
>> On 5/5/2014 3:30 PM, Benjamin Podszun wrote:
>  ...
>
>

More information about the dovecot mailing list