Quoting mj <[email protected]>:
Hi,
Further to the other thread about password guessing activities
against our dovecot, I would like to implement application specific
passwords on our dovecot.
Googling results in some documents, but they are all a bit older:
https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/
https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot
http://www.justinbuchanan.com/blog/category/RoundCube
http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix
Those articles are interesting, but also rather old. (I realse that
this does not neccesarily mean: irrelevant or bad)
Is there anone here with some additional notes, ideas, tips, trics
on setting up application specific passwords with dovecot with
virtual users? We are using samba AD as an authentication backend.
MJ
I'm working on PrivacyIdea (PI) integration for 2FA. The reason I
mention this for app passwords is because PI allows multiple 'tokens'
that aren't just for 2FA.
This would allow you give your users a web portal to create 'password'
(SPASS) tokens - using their AD pass to auth to the portal. Then using
PAM Radius, Dovecot can auth against the multiple password tokens.
Personally - I'm not too thrilled about having users have multiple
passwords for IMAP - BUT if you're trying to protect the AD password,
this would be a method of isolating AD away. You can set PI to fall
back to the AD password if the user doesn't have a token, so
integration is pretty seamless.
You can also do some fancy policy-based token matching to require 2FA
for say - webmail - and allow SPASS for POP/IMAP. This is what I'm
aiming for, but I've had issues with the webmail client portion (user
using 2FA, and IMAP being hardcoded) and haven't gotten back to it to
truely guide anyone else through it.
Rick
