TFA authentication in dovecot, using XMPP and RFC 4226

Michael Peddemors michael at linuxmagic.com
Wed Apr 3 19:14:36 EEST 2019 

The issue related to plugins that use or advertise other capabilities, 
is that is has to have a hook to modify what's advertised. We are having 
that same challenge where we use CLIENTID as a component for two factor 
as well, but of course the important thing before we can release the 
plugin, is for the ability for plugins to "advertise" capabilities.

Still waiting for that to get the green light on our patch, so we can 
publish some of our plugins related to this, and other things that 
require the ability to advertise the capability string.

Variable Capabilities Patch
https://github.com/dovecot/core/pull/86

As an aside, another aggressive botnet launched on April 1st, trying to 
test all the information in the large breached data, appears to be 
'verifications.io' breach.. As long as these types of breaches occur, we 
need more universal methods for two factor.. hoping to see movement on 
that pull request, so we can share more of what we are doing in our 
custom environments.

On 2019-04-02 11:16 p.m., André Rodier via dovecot wrote:
> Hello,
> 
> I would like to implement some kind of two factors authentication, in
> Dovecot.
> 
> I am thinking about using the post login script, to check for unusual
> behaviour, like say, a different country / IP address or an unusual
> hour.
> 
> I already wrote a simple shell script that check these factors, but
> now, I have some options for the following, and I need to know your
> opinion if this is feasible or not.
> 
> I want to use google authenticator Debian package (support the HMAC-
> Based One-time Password (HOTP) algorithm specified in RFC 4226 and the
> Time-based One-time Password (TOTP))
> 
> The challenge would be send via XMPP. This second part is fairly easy
> to do, I have all the packages on Debian, for instance sendxmpp. The
> first tests are promising.
> 
> In case of success, the IP address is added to the list, let's say for
> one month...
> 
> My back-end for authentication is OpenLDAP.
> 
> My questions are:
> 
> - Do you see any performance issues for other users or login processes,
> if I implement this?
> - I am planning to use a timeout, for instance one minute to confirm
> the connection. Does Dovecot have a timeout on its side, that would
> abort the connection before?
> 
> Otherwise:
> 
> - Is it possible to have multiple authentication back-ends in Dovecot?
> For instance LDAP and/or OTP?
> - I think to have seen some TFA options in Dovecot, but AFAICS, they
> are mandatory.
> 
> Thanks for your insights, and this fabulous software.
> 



-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

More information about the dovecot mailing list