[Dovecot] Ideas for Webmail/OTP

Frank Behrens frank at pinky.sax.de
Tue Jul 24 09:19:21 EEST 2007


Charles Marcus <dovecot at dovecot.org> wrote on 23 Jul 2007 13:21:

> Phillip T. George, on 7/23/2007 1:00 PM, said the following:
> > SSL/TLS is not going to solve the keylogger and malware problem.  
> > Basically, if you're on a public (or even a friend's) computer and 
> > someone decides to monitor keystrokes using some application, your 
> > password will be completely compromised.
> 
> Well, thats true, but this really isn't a dovecot issue...

Yes, that's true. I believe I must make some additional notes to explain the reason for my 
mail:

1. I believe one One-time Passwords can be useful, especially in untrusted webmail 
environments.

2. Until now I did not find an easy solution to setup OTP with common used IMAP servers 
and webmail packages. If somebody is able to show me a solution I would be happy and we 
can abort this thread.

3. I did not use dovecot before, but when I evaluated some IMAP servers I came to the 
conclusion, that dovecot has a clean structure and can be extended easily. I was able to 
patch dovecot in order to show that the proposed solutions are possible.

So dovecot has no errors in this context, but I believe it could be extended easily and that's 
why I wrote in this mailing list. My hope is, that people comment:
- My ideas are stupid or not.
- My proposol is a useful IMAP extension, or we should solve the problem in other ways.
- We should extend dovecot a litle bit or leave it, because other mail servers does not 
implement such a feature.

I do not complain about dovecot, I'm proposing some enhancements, but may be in the 
wrong direction. I hope I do not disturb the mailing list readers.

Regards,
   Frank
-- 
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.



More information about the dovecot mailing list