Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Dovecot configuration (authentication)
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 812
PostPosted: Wed Jul 09, 2014 1:21 pm    Post subject: Dovecot configuration (authentication) Reply with quote
Hi All,

I'm setting up an email server, and so far everything looks good. I do have one challenge left with dovecot ....

For security i want to authenticate users with 2 factor authentication, so far i've setup pam to use the system password+google authenticator code and that works great when user a regular mail client like thunderbird.

The problem starts with two extra scenario's:
- I want to provide webmail.
- I have a few accounts that will be read automatically (by applications/scripts)

Webmail, in contrast to a normal email client, makes a new (imap) session for every time you request a page using the credentials you entered when you logged in. Of course due to the 2 factor authentication the password changes after some time, and the webmail session breaks.
For the automated accounts, i don't have the option to make them do 2 factor authentication.

I hoped to be able to solve this by making the authentication depend on the source of the request. Webmail always originates from localhost, and the automated accounts have fixed IP addresses, so they should than be able to use regular authentication. I haven't found any way to do that.

Does anyone have a solution for this problem ? I guess (and hope :) ) i'm not the only one doing this :)

Thanks in advance.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
freke
l33t
l33t


Joined: 23 Jan 2003
Posts: 977
Location: Somewhere in Denmark
PostPosted: Wed Jul 09, 2014 5:27 pm    Post subject: Reply with quote
There seems to be some plugin for Roundcube-webmail to make Google OTP work.
(might be other interesting stuff in the thread, too - didn't read it all through - not planning on implementing it on my mail-server right now)

https://forums.freebsd.org/viewtopic.php?f=43&t=45341
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 812
PostPosted: Wed Jul 09, 2014 7:34 pm    Post subject: Reply with quote
Thanks for your reply Freke.
Quote:

There seems to be some plugin for Roundcube-webmail to make Google OTP work.

I found that too, but that is the scenario where you want 2 factor authentication on roundcube, and having a single factor towards dovecot/postfix. I'm still stuck at making dovecot doing single factor authentication when the request comes from roundcube, while still using 2 factor authentication when the request comes from somewhere else.

Quote:

(might be other interesting stuff in the thread, too - didn't read it all through - not planning on implementing it on my mail-server right now)

https://forums.freebsd.org/viewtopic.php?f=43&t=45341

Sure an interesting thread, i've scanned it a bit and it doesn't seem like something i can use, but i'll read it again when i have a bit more time to be sure.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 812
PostPosted: Thu Jul 10, 2014 3:17 pm    Post subject: Reply with quote
I got it working :)

I'm running two dovecot instances now with different authentication configurations and different ports. The webmail uses the special configuration with single factor authentication, on the regular ports i'm using the 2 factor authentication. A firewall makes sure that only the one with 2 factor authentication is available from outside.
After that i used the the roudcube plugin mentioned in the thread Freke linked to which made the webmail itself perform 2 factor authentication.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy