View previous topic :: View next topic |
Author |
Message |
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 812
|
Posted: Wed Jul 09, 2014 1:21 pm Post subject: Dovecot configuration (authentication) |
|
|
Hi All,
I'm setting up an email server, and so far everything looks good. I do have one challenge left with dovecot ....
For security i want to authenticate users with 2 factor authentication, so far i've setup pam to use the system password+google authenticator code and that works great when user a regular mail client like thunderbird.
The problem starts with two extra scenario's:
- I want to provide webmail.
- I have a few accounts that will be read automatically (by applications/scripts)
Webmail, in contrast to a normal email client, makes a new (imap) session for every time you request a page using the credentials you entered when you logged in. Of course due to the 2 factor authentication the password changes after some time, and the webmail session breaks.
For the automated accounts, i don't have the option to make them do 2 factor authentication.
I hoped to be able to solve this by making the authentication depend on the source of the request. Webmail always originates from localhost, and the automated accounts have fixed IP addresses, so they should than be able to use regular authentication. I haven't found any way to do that.
Does anyone have a solution for this problem ? I guess (and hope ) i'm not the only one doing this
Thanks in advance. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
freke l33t
Joined: 23 Jan 2003 Posts: 977 Location: Somewhere in Denmark
|
Posted: Wed Jul 09, 2014 5:27 pm Post subject: |
|
|
There seems to be some plugin for Roundcube-webmail to make Google OTP work.
(might be other interesting stuff in the thread, too - didn't read it all through - not planning on implementing it on my mail-server right now)
https://forums.freebsd.org/viewtopic.php?f=43&t=45341 |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 812
|
Posted: Wed Jul 09, 2014 7:34 pm Post subject: |
|
|
Thanks for your reply Freke.
Quote: |
There seems to be some plugin for Roundcube-webmail to make Google OTP work.
|
I found that too, but that is the scenario where you want 2 factor authentication on roundcube, and having a single factor towards dovecot/postfix. I'm still stuck at making dovecot doing single factor authentication when the request comes from roundcube, while still using 2 factor authentication when the request comes from somewhere else.
Sure an interesting thread, i've scanned it a bit and it doesn't seem like something i can use, but i'll read it again when i have a bit more time to be sure. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 812
|
Posted: Thu Jul 10, 2014 3:17 pm Post subject: |
|
|
I got it working
I'm running two dovecot instances now with different authentication configurations and different ports. The webmail uses the special configuration with single factor authentication, on the regular ports i'm using the 2 factor authentication. A firewall makes sure that only the one with 2 factor authentication is available from outside.
After that i used the the roudcube plugin mentioned in the thread Freke linked to which made the webmail itself perform 2 factor authentication. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|