[Dovecot] Logon with Client Certificate and OTP fallback

Timo Sirainen tss at iki.fi
Wed Mar 20 19:35:09 EET 2013

On 10.3.2013, at 12.28, dovecot.pkoch at dfgh.net wrote:

> For 10 years we are using a very simple POP3-server where
> I replaced the authentication routines with my own functions
> and these function are doing the following:
> 1) if the connection was made without SSL refuse to connect
> 2) if the client was using a client certificate extract the username
> from the certificate. Since we cannot stop Thunderbird from
> sending a username/passowrd-combination we compare the
> username from the certificate with the username Thunderbird has
> sent. If the usernames matches we allow access and ignore
> the password.
> 3) if the client did not sent a client certificate we calculate the
> current OneTimePassword of the users OTP-token and compare
> that with the password Thunderbird has sent. If the passwords matches
> we allow access. If a OTP-password was validated it can be used
> for 24 hours so our OTP-users must use their tokens only once a day.
> Now we would like to switch from POP3 to IMAP, so here are my
> questions:
> - can Dovecot be CONFIGURED to do the above. I compiled it yesterday
> and SSL client authentication works as expected. OTP seems to be
> supported via PAM and I can write a PAM-modul for our OTP-tokens,
> so OTP would be possible too. But how do I tell Dovecot to do
> OTP-auth as a fallback for ClientCert-auth.

Create a passdb that succeeds if user has a valid SSL client cert. http://wiki2.dovecot.org/Variables has %k which is "valid" if client has it set. There are several ways you can do this .. for example with sqlite do a SELECT that checks for %k. Another possibility is a checkpassword script.

The secondary passdb would then be the OTP.

> - I already looked into the sourcecode of Dovecot. Seems like all the
> authentication routines were built as pluggable modules. Is there any
> documentation out there on how how to built my own auth-module.
> Integrating the OTP-auth directly into Dovecot would be a lot
> easier (for me) than creating a PAM-module, so I would prefer that.
> If there was interest from other people I would add some configuration
> options to Dovecot (for example the location of the OTP-token list).
> Otherwise I would just hardcode everything into the source.

See how the auth process already can build an ldap plugin. For outside sources you can build auth plugins the same way as any other plugins. http://dovecot.org/patches/ has many such example plugins. Or see how Pigeonhole does it with autotools.

More information about the dovecot mailing list