[Dovecot] Logon with Client Certificate and OTP fallback

dovecot.pkoch at dfgh.net dovecot.pkoch at dfgh.net
Sun Mar 10 12:28:54 EET 2013

Dear Dovecot experts,

we have unusual authentication requirements, namely:

- almost all of our user are using a smartcard to connect
with our mailserver. Thunderbird is our friend here as it will
use the smartcard as an additional certificate store and
Thunderbird will do client certificate based authentication
when connecting via SSL with a mailserver

- there's no way (at least that I know of) for our iPad users
to use a smartcard, so our iPad and iPhone users use
OTP token (http://www.gooze.eu/catalog/otp-tokens-oath-0)

For 10 years we are using a very simple POP3-server where
I replaced the authentication routines with my own functions
and these function are doing the following:

1) if the connection was made without SSL refuse to connect
2) if the client was using a client certificate extract the username
from the certificate. Since we cannot stop Thunderbird from
sending a username/passowrd-combination we compare the
username from the certificate with the username Thunderbird has
sent. If the usernames matches we allow access and ignore
the password.
3) if the client did not sent a client certificate we calculate the
current OneTimePassword of the users OTP-token and compare
that with the password Thunderbird has sent. If the passwords matches
we allow access. If a OTP-password was validated it can be used
for 24 hours so our OTP-users must use their tokens only once a day.

Now we would like to switch from POP3 to IMAP, so here are my

- can Dovecot be CONFIGURED to do the above. I compiled it yesterday
and SSL client authentication works as expected. OTP seems to be
supported via PAM and I can write a PAM-modul for our OTP-tokens,
so OTP would be possible too. But how do I tell Dovecot to do
OTP-auth as a fallback for ClientCert-auth.

- I already looked into the sourcecode of Dovecot. Seems like all the
authentication routines were built as pluggable modules. Is there any
documentation out there on how how to built my own auth-module.
Integrating the OTP-auth directly into Dovecot would be a lot
easier (for me) than creating a PAM-module, so I would prefer that.
If there was interest from other people I would add some configuration
options to Dovecot (for example the location of the OTP-token list).
Otherwise I would just hardcode everything into the source.


More information about the dovecot mailing list