application specific passwords
Rick Romero
rick at havokmon.com
Thu Jul 20 15:31:35 EEST 2017
Quoting mj <lists at merit.unu.edu>:
> Hi,
>
> Further to the other thread about password guessing activities
> against our dovecot, I would like to implement application specific
> passwords on our dovecot.
>
> Googling results in some documents, but they are all a bit older:
>
>> https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/
>
>> https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot
>
>> http://www.justinbuchanan.com/blog/category/RoundCube
>
>> http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix
>
> Those articles are interesting, but also rather old. (I realse that
> this does not neccesarily mean: irrelevant or bad)
>
> Is there anone here with some additional notes, ideas, tips, trics
> on setting up application specific passwords with dovecot with
> virtual users? We are using samba AD as an authentication backend.
> MJ
I'm working on PrivacyIdea (PI) integration for 2FA. The reason I
mention this for app passwords is because PI allows multiple 'tokens'
that aren't just for 2FA.
This would allow you give your users a web portal to create 'password'
(SPASS) tokens - using their AD pass to auth to the portal. Then using
PAM Radius, Dovecot can auth against the multiple password tokens.
Personally - I'm not too thrilled about having users have multiple
passwords for IMAP - BUT if you're trying to protect the AD password,
this would be a method of isolating AD away. You can set PI to fall
back to the AD password if the user doesn't have a token, so
integration is pretty seamless.
You can also do some fancy policy-based token matching to require 2FA
for say - webmail - and allow SPASS for POP/IMAP. This is what I'm
aiming for, but I've had issues with the webmail client portion (user
using 2FA, and IMAP being hardcoded) and haven't gotten back to it to
truely guide anyone else through it.
Rick
More information about the dovecot
mailing list