[Dovecot] Ideas for Webmail/OTP

Frank Behrens frank at pinky.sax.de
Tue Jul 24 15:31:14 EEST 2007


Jasper Bryant-Greene <jasper at albumltd.co.nz> wrote on 24 Jul 2007 23:40:
> a) provide the otp sequence as a capability (e.g. X-OTP-SEQ=1234), or
> 
> b) provide a dovecot-specific IMAP command for finding out the current
>    sequence value (e.g. X-OTP-SEQ)
> 
> The sending of a dummy password to retrieve the LOGIN response seems like a
> bit of a hack (no offense to Frank - I'm keen to see this OTP idea
> implemented), but again, the above is written without much knowledge of the
> IMAP protocol.

The problem is, that the OTP sequence is user dependent. When you use PAM you can't 
determine, if a user uses OTP until you try a login (you call pam_authenticate()). 

There is a existing mechanism in IMAP: SASL with OTP. But in that case you can not use the 
operating system configuration with PAM, but the IMAP server must handle the OTP 
challenge itself. I believe this is integrated in new dovecot 1.1 version. A problem with this 
setup is, that you need special support by a webmail client. I did'nt find any (easy) solution 
with suport for it, with the exeption of an extra IMAP-OTP-proxy server.

Or another view: Until now dovecot (and I believe nearly all other IMAP servers) use PAM in 
a restricted form only. PAM means
- you define all login capabilities and security restrictions and databases in the operating 
system.
- when you try to authenticate a user, the PAM module requests the information via 
callbacks. That means a prompt is displayed for user name, user name is passed to PAM. 
Then a prompt for password is displayed, the password is passed to PAM. Theoretically this 
can be continued. With traditional IMAP LOGIN (I do not speak about SASL) the client 
supplies username and password together and this must be mapped to the callback 
sequence. Here the PAM prompts are ignored and in case for OTP they contain important 
information. My (probably non standard IMAP) extension creates the possibility to return the 
PAM callback message to the user.

When you thing about it: A webmail client and the different IMAP login mechanisms fit not 
very well together. So some posters are right: you should better use a "real" IMAP client. But 
IMHO webmail is a useful solution, when you are on vacation or business travel and want to 
acces your email. And together with one time passwords the security risk is not too high, so 
you can use it.

Regards,
   Frank
-- 
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.



More information about the dovecot mailing list