[Dovecot] Disable IMAP for ONE user only

[SIW]

Hi Benjamin

Thanks for your input.

I guess I need to take a step back and define some requirements. 
Currently I have too many options running through my head which has 
overwhelmed me and is not helping! You are correct in saying that the 
subject of this post is now incorrect. Maybe is should now be: Two 
factor for Dovecot and Roundcube for secure remote access

First of all I don't want any of the authentication options to change 
for all current users. I am the *only* user that requires secure access 
to webmail while travelling overseas.

So the requirements are:

1) For all users (except myself) allow them to continue using the system 
as it is

2) For me (and possibly some new users in the future), allow a secure 
way of authenticating with Roundcube so that if the password is recorded 
with a keylogger, access to my mailbox via IMAP is not possible. (NB: 
When I say IMAP, I mean non-Roundcibe/HTTP access to my mailbox)

3) Email clients include: Thunderbird, Outlook, K9 on Android and Roundcube

4) Yes, I have looked at OTP for Roundcube and currently use Googles 
Authenticator which works nicely in securing Roundcube ONLY. The OTP AND 
password is required to login. The OTP is generate on my Android phone.

 From what I have gathered, the options for securing logging in from an 
untrusted machine are:

1) Use throw away passwords - ie: passwords that can only be used once 
and can ONLY be used for logging into Roundcube

2) Use OTP for Dovecot AND Roundcube - I have no idea how to do this

3) Have a copy of my mailbox (that gets synced with a cron job) and have 
a completely separate login to access this mailbox. This login will ONLY 
be used when using Roundcube from an untrusted machine and will NOT be 
allowed IMAP access (this can be done in the password_query I think). Or 
use two login accounts to the same mailbox maybe but one account is used 
for travelling and can't access IMAP?

The important thing here is that if/when the password gets recorded 
while logging into Roundcube that it can NOT be used to access my 
mailbox from (say) Thunderbird. Also OTP should not be enforced for the 
other users (ie: it should be optional).

Does that clarify? Sorry if I'm all over the place but there doesn't 
seem to be a clear/simple way to achieve what I want. Feel free to ask 
me more questions and I will try my best to answer so that it clarifies 
things.

Thank you.

PS: Regarding USB virtual keyboards (like Yubikey), I'd like to avoid 
them if possible as you can't always connect a USB device to a machine 
in an internet cafe (sometimes they physically lock the USB ports so 
they can't be used).


On 06/05/2014 08:44, Benjamin Podszun wrote:
> On Tuesday, May 6, 2014 9:26:54 AM CEST, SIW wrote:
>> I haven't considered Yubikey but I was considering this:
>>
>> http://www.s-crib.com/
>>
>> I'm not sure if these USB virtual keyboards are the best option as 
>> some internet cafes won't let you plug in USB devices or you don't 
>> have the rights to install it (I know they say it doesn't require 
>> drivers but some machines are locked down good)
>
> I'd be surprised if these machines wouldn't support plain USB 
> keyboards. Probably the keyboard you'll use at these machines isn't 
> PS/2 anymore..
>
>>  From what I have read it sounds like I need to have two passwords 
>> for one login...one for Roundcube (with OTP) and one for IMAP access. 
>> I think the key to this is to ONLY allow the IMAP password to be used 
>> with IMAP and for the Roundcube password (with OTP) to ONLY have 
>> access to Roundcube. That way if the Roundcube password gets 
>> recorded/keylogged then they can't use it with IMAP. Is this 
>> possible? (ie: bind/enforce a particular password to one type of 
>> service)
>
> I think you're confused. Take a step back. You came with a ~strange~ 
> requirement (see subject, by now you understand that 'disable imap for 
> one user' isn't what you want). You provided not enough details to 
> proceed and I think you are still not quite sure what you want to do 
> here.
>
> The thought process you outline above isn't clear. I _assume_ (note: 
> Please confirm/deny) you looked at OTP solutions that are roundcube 
> only, i.e. that are implemented in PHP. That'd mean that there's no 
> OTP support in your dovecot setup and plain/direct imap connections 
> use nothing but your regular password. Furthermore it seems that you 
> confuse/mix OTPs with two-factor authentication and assume the latter 
> with the Roundcube-only setup I believe to understand above. That is, 
> you log in to your Roundcube site with
> - your regular password AND
> - something else (call it OTP)
>
> Only under these circumstances it makes sense that you consider OTPs 
> to be broken for your threat model: A keylogger has now your regular 
> password and a useless OTP, but needs only the regular password for 
> dovecot because the OTP support is bolted on/a hack in the wrong place.
>
> I still think you want OTP support in dovecot itself. It might be 
> possible to hack the Roundcube thing (still leaning heavily on my 
> assumptions above) to require _just_ a OTP, but that'd require 
> Roundcube to be able to login without you transmitting your real 
> password. That'd fix the hack for 'someone logged my keys', but isn't 
> much of an improvement overall.
>
>> Another option, is it possible to have my main account and use it 
>> with IMAP but have a SECOND set of login credentials that I only use 
>> for Roundcube but can access my mailbox of the the other account?
>
> Yes, that would be possible and I pointed to a specific part of the 
> documentation for that. You could, without too much effort, support 
> accounts with multiple passwords, whatever that would be good for.
>
>> I'm still battling with this!
>
> See above: Please reflect a moment, check the facts you provided and 
> fill in the missing details.
>