[Dovecot] Ideas for Webmail/OTP
tss at iki.fi
Tue Jul 24 09:42:29 EEST 2007
On Mon, 2007-07-23 at 17:15 +0200, Frank Behrens wrote:
> Solution 1:
> When PAM is configured for IMAP the user can use a one-time-password in the same way
> as before. The problem is, that the user must know the sequence number for the password
> (otp challenge), so we need a way to display it. The PAM module supplies the otp challenge
> in the conversation function, but the challenge is not processed by the IMAP server.
> My proposal: The IMAP server stores the challenge from the conversation function and
> includes it in the LOGIN response, when the login was not successful. So a user can try a
> login with a wrong dummy password and get knowlegdge about the current otp sequence.
I'd like to see your patch for this. I've no idea how pam_otp works.
> Solution 3:
> When we configure PAM we can restrict/allow it's use depending on IP address of client.
> Unfortunately with a webmail client the IMAP client is always the the webserver. It should be
> possible, that the webserver forwards the client IP address to the IMAP server. Furthermore
> to use dovecot's login cache as described above in a safe manner, the IP address should be
> compared, too.
> My proposal: Create a new IMAP command "XSETREMOTEIP". With this IMAP extension a
> client can set the real IP address of remote client. The access to this command is restricted
> to the webserver with a new configuration parameter "trusted clients", which holds an IP
> address with mask.
Cyrus Murder has something similar to this I think. We could make it
compatible with it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070724/1c04f24c/attachment.bin
More information about the dovecot