[Dovecot] Logon with Client Certificate and OTP fallback

Robert Schetterer rs at sys4.de
Sun Mar 10 13:57:27 EET 2013

Am 10.03.2013 11:28, schrieb dovecot.pkoch at dfgh.net:
> Dear Dovecot experts,
> we have unusual authentication requirements, namely:
> - almost all of our user are using a smartcard to connect
> with our mailserver. Thunderbird is our friend here as it will
> use the smartcard as an additional certificate store and
> Thunderbird will do client certificate based authentication
> when connecting via SSL with a mailserver
> - there's no way (at least that I know of) for our iPad users
> to use a smartcard, so our iPad and iPhone users use
> OTP token (http://www.gooze.eu/catalog/otp-tokens-oath-0)
> For 10 years we are using a very simple POP3-server where
> I replaced the authentication routines with my own functions
> and these function are doing the following:
> 1) if the connection was made without SSL refuse to connect
> 2) if the client was using a client certificate extract the username
> from the certificate. Since we cannot stop Thunderbird from
> sending a username/passowrd-combination we compare the
> username from the certificate with the username Thunderbird has
> sent. If the usernames matches we allow access and ignore
> the password.
> 3) if the client did not sent a client certificate we calculate the
> current OneTimePassword of the users OTP-token and compare
> that with the password Thunderbird has sent. If the passwords matches
> we allow access. If a OTP-password was validated it can be used
> for 24 hours so our OTP-users must use their tokens only once a day.
> Now we would like to switch from POP3 to IMAP, so here are my
> questions:
> - can Dovecot be CONFIGURED to do the above. I compiled it yesterday
> and SSL client authentication works as expected. OTP seems to be
> supported via PAM and I can write a PAM-modul for our OTP-tokens,
> so OTP would be possible too. But how do I tell Dovecot to do
> OTP-auth as a fallback for ClientCert-auth.
> - I already looked into the sourcecode of Dovecot. Seems like all the
> authentication routines were built as pluggable modules. Is there any
> documentation out there on how how to built my own auth-module.
> Integrating the OTP-auth directly into Dovecot would be a lot
> easier (for me) than creating a PAM-module, so I would prefer that.
> If there was interest from other people I would add some configuration
> options to Dovecot (for example the location of the OTP-token list).
> Otherwise I would just hardcode everything into the source.
> Peter

try read


This can be useful with e.g. pam_opie to find out which one time
password you're supposed to give:

1 LOGIN username otp
1 NO otp-md5 324 0x1578 ext, Response:

Best Regards
MfG Robert Schetterer

[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

More information about the dovecot mailing list