Mixed Autehtnication and password schemes

Aki Tuomi aki.tuomi at dovecot.fi
Thu Aug 31 17:14:35 EEST 2017 

> On August 31, 2017 at 12:41 AM Raymond Sellars <Raymond.Sellars at orionhealth.com> wrote:
> 
> 
> Hi
> 
> Looking for some confirmation/direction on how to achieve the following. 
> 
> We have a requirement to support both SASL PLAIN and DIGEST-MD5 authentication (certification reasons). In addition to this we have an application (webmail) that utilises a master password pattern for access, as the contain web portal provides the necessary authentication.
> 
> I have access to users passwords in PLAIN text and looking to utilise the dict lookup mechanism for passwords.
> 
> Problem #1
> 
> https://wiki2.dovecot.org/Authentication/MultipleDatabases - "Currently the fallback works only with the PLAIN authentication mechanism."
> 
> The above not suggests I can't use DIGEST-MD5 with master password configuration, if using more than one passdb setup. I don't understand why there would be a restriction as the password validation should just fall through irrespective.
> 

Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL.

> Problem #2 How do I enforce some kind of account access policy
> 
> Currently we're backing the authentication with an Identity and Authentication system. I would like to block IMAP access if a user's account is locked out, expired, or inactive. Similarly if there are too many IMAP attempts with the incorrect password I would like the account system wide to be locked out.
> 
> With Dict lookup I don't seem a mechanism to keep the IDM system aware of login attempt/failures, since it pulls the plaintext password and validates internally. Is this possible?
> 
> As a worse case does Dovecot implement any type of account access policies? Out IT security reviewers are hot on account policies, i.e. lockouts, expiries, and back off attempts.
> 

You can use https://wiki2.dovecot.org/Authentication/Policy to implement complex requirements.

other than that, dovecot will deter brute force on it's own to some degree.

> Thanks
> Raymond
> Solution Architect - Orion Health

Aki Tuomi
Dovecot oy

More information about the dovecot mailing list