TFA authentication in dovecot, using XMPP and RFC 4226

[André Rodier]

Hello,

I would like to implement some kind of two factors authentication, in
Dovecot.

I am thinking about using the post login script, to check for unusual
behaviour, like say, a different country / IP address or an unusual
hour.

I already wrote a simple shell script that check these factors, but
now, I have some options for the following, and I need to know your
opinion if this is feasible or not.

I want to use google authenticator Debian package (support the HMAC-
Based One-time Password (HOTP) algorithm specified in RFC 4226 and the
Time-based One-time Password (TOTP))

The challenge would be send via XMPP. This second part is fairly easy
to do, I have all the packages on Debian, for instance sendxmpp. The
first tests are promising.

In case of success, the IP address is added to the list, let's say for
one month...

My back-end for authentication is OpenLDAP.

My questions are:

- Do you see any performance issues for other users or login processes,
if I implement this?
- I am planning to use a timeout, for instance one minute to confirm
the connection. Does Dovecot have a timeout on its side, that would
abort the connection before?

Otherwise:

- Is it possible to have multiple authentication back-ends in Dovecot?
For instance LDAP and/or OTP?
- I think to have seen some TFA options in Dovecot, but AFAICS, they
are mandatory. 

Thanks for your insights, and this fabulous software.

-- 
André Rodier
HomeBox: https://github.com/progmaticltd/homebox