[Dovecot] Disable IMAP for ONE user only

SIW bov at bsdpanic.com
Fri May 9 12:58:20 UTC 2014 

After giving this some thought and taking a step back I followed Rick 
Romeros advice and I think I have a working proof of concept on my test 
server :-)

Here are the steps I have followed, I am interested in hearing peoples 
thoughts on this or some feedback:

1) Created an extra column in my users tables that does authentication 
and added a second password. The table looks like this now after running 
the SQL statements to create the column and add a second password for my 
account:

ALTER TABLE virtual_users ADD travel_password VARCHAR(106);

UPDATE mailserver.virtual_users SET 
travel_password=ENCRYPT('newpassword',concat('$6$',substring(sha(rand()), -16))) 
WHERE email='user at domain.com';


+----+-----------------+--------------------------------------------------------------------------+---------------------------------+-------------------------+
| id | domain_id  | password              | email          
                      | travel_password  |      <------- This end column 
is new
+----+------------------+------------------------------------------------------------------------------------------------------------+-------------------------+
|  6 |         1           | $6$8e5d84a4ee689211$f                     
          | user at domain.com       | $6$56095ed3867|
+----+-----------------+--------------------------------------------------------------------------+----------------------------------+-------------------------+

NB: I have shortened the passwords for readability

2) I then edited the password_query in 
/usr/local/etc/dovecot/dovecot-sql.conf.ext for Dovecot to:

password_query = SELECT email as user, if('%r' = '127.0.0.1' AND email 
='user at domain.com', travel_password,password) as password FROM 
virtual_users WHERE email='%u';

and restarted Dovecot

This seems to be working as I would expect it to :-) If I login to 
Roundcube as user at domain.com with my travel_password it logs me in. If I 
login as the same user but use the "normal" password it doesn't log me 
in. If I use Thunderbird I can only use the "normal" password (using the 
travel_password fails as I would expect it to).

So now I can login from an untrusted internet cafe machine, and they can 
record my login credentials and my mailbox will be safe! When I use 
Roundcube, the OTP AND the travel_password are required for login. Since 
the hacker can't reuse the OTP, the login details are safe. They also 
can't use the travel_password for IMAP access.

I realise this is a bit of a hack and only works for a handful of users 
but for my setup it (seems) perfect!

Comments and feedback are welcome! Thanks Rick and to everyone for their 
valuable input.



On 06/05/2014 13:38, SIW wrote:
> Hi Benjamin
>
> Thanks for your input.
>
> I guess I need to take a step back and define some requirements. 
> Currently I have too many options running through my head which has 
> overwhelmed me and is not helping! You are correct in saying that the 
> subject of this post is now incorrect. Maybe is should now be: Two 
> factor for Dovecot and Roundcube for secure remote access
>
> First of all I don't want any of the authentication options to change 
> for all current users. I am the *only* user that requires secure 
> access to webmail while travelling overseas.
>
> So the requirements are:
>
> 1) For all users (except myself) allow them to continue using the 
> system as it is
>
> 2) For me (and possibly some new users in the future), allow a secure 
> way of authenticating with Roundcube so that if the password is 
> recorded with a keylogger, access to my mailbox via IMAP is not 
> possible. (NB: When I say IMAP, I mean non-Roundcibe/HTTP access to my 
> mailbox)
>
> 3) Email clients include: Thunderbird, Outlook, K9 on Android and 
> Roundcube
>
> 4) Yes, I have looked at OTP for Roundcube and currently use Googles 
> Authenticator which works nicely in securing Roundcube ONLY. The OTP 
> AND password is required to login. The OTP is generate on my Android 
> phone.
>
> From what I have gathered, the options for securing logging in from an 
> untrusted machine are:
>
> 1) Use throw away passwords - ie: passwords that can only be used once 
> and can ONLY be used for logging into Roundcube
>
> 2) Use OTP for Dovecot AND Roundcube - I have no idea how to do this
>
> 3) Have a copy of my mailbox (that gets synced with a cron job) and 
> have a completely separate login to access this mailbox. This login 
> will ONLY be used when using Roundcube from an untrusted machine and 
> will NOT be allowed IMAP access (this can be done in the 
> password_query I think). Or use two login accounts to the same mailbox 
> maybe but one account is used for travelling and can't access IMAP?
>
> The important thing here is that if/when the password gets recorded 
> while logging into Roundcube that it can NOT be used to access my 
> mailbox from (say) Thunderbird. Also OTP should not be enforced for 
> the other users (ie: it should be optional).
>
> Does that clarify? Sorry if I'm all over the place but there doesn't 
> seem to be a clear/simple way to achieve what I want. Feel free to ask 
> me more questions and I will try my best to answer so that it 
> clarifies things.
>
> Thank you.
>
> PS: Regarding USB virtual keyboards (like Yubikey), I'd like to avoid 
> them if possible as you can't always connect a USB device to a machine 
> in an internet cafe (sometimes they physically lock the USB ports so 
> they can't be used).
>
>
> On 06/05/2014 08:44, Benjamin Podszun wrote:
>> On Tuesday, May 6, 2014 9:26:54 AM CEST, SIW wrote:
>>> I haven't considered Yubikey but I was considering this:
>>>
>>> http://www.s-crib.com/
>>>
>>> I'm not sure if these USB virtual keyboards are the best option as 
>>> some internet cafes won't let you plug in USB devices or you don't 
>>> have the rights to install it (I know they say it doesn't require 
>>> drivers but some machines are locked down good)
>>
>> I'd be surprised if these machines wouldn't support plain USB 
>> keyboards. Probably the keyboard you'll use at these machines isn't 
>> PS/2 anymore..
>>
>>>  From what I have read it sounds like I need to have two passwords 
>>> for one login...one for Roundcube (with OTP) and one for IMAP 
>>> access. I think the key to this is to ONLY allow the IMAP password 
>>> to be used with IMAP and for the Roundcube password (with OTP) to 
>>> ONLY have access to Roundcube. That way if the Roundcube password 
>>> gets recorded/keylogged then they can't use it with IMAP. Is this 
>>> possible? (ie: bind/enforce a particular password to one type of 
>>> service)
>>
>> I think you're confused. Take a step back. You came with a ~strange~ 
>> requirement (see subject, by now you understand that 'disable imap 
>> for one user' isn't what you want). You provided not enough details 
>> to proceed and I think you are still not quite sure what you want to 
>> do here.
>>
>> The thought process you outline above isn't clear. I _assume_ (note: 
>> Please confirm/deny) you looked at OTP solutions that are roundcube 
>> only, i.e. that are implemented in PHP. That'd mean that there's no 
>> OTP support in your dovecot setup and plain/direct imap connections 
>> use nothing but your regular password. Furthermore it seems that you 
>> confuse/mix OTPs with two-factor authentication and assume the latter 
>> with the Roundcube-only setup I believe to understand above. That is, 
>> you log in to your Roundcube site with
>> - your regular password AND
>> - something else (call it OTP)
>>
>> Only under these circumstances it makes sense that you consider OTPs 
>> to be broken for your threat model: A keylogger has now your regular 
>> password and a useless OTP, but needs only the regular password for 
>> dovecot because the OTP support is bolted on/a hack in the wrong place.
>>
>> I still think you want OTP support in dovecot itself. It might be 
>> possible to hack the Roundcube thing (still leaning heavily on my 
>> assumptions above) to require _just_ a OTP, but that'd require 
>> Roundcube to be able to login without you transmitting your real 
>> password. That'd fix the hack for 'someone logged my keys', but isn't 
>> much of an improvement overall.
>>
>>> Another option, is it possible to have my main account and use it 
>>> with IMAP but have a SECOND set of login credentials that I only use 
>>> for Roundcube but can access my mailbox of the the other account?
>>
>> Yes, that would be possible and I pointed to a specific part of the 
>> documentation for that. You could, without too much effort, support 
>> accounts with multiple passwords, whatever that would be good for.
>>
>>> I'm still battling with this!
>>
>> See above: Please reflect a moment, check the facts you provided and 
>> fill in the missing details.
>>

More information about the dovecot mailing list