>> Is there any sort of supported way of wiring up login_duo with >> OpenSMTPD and Dovecot, or using bsdauth in some way to enforce a >> second auth factor? > >bsdauth isn't really setup for multi factor, the only way I've seen >this >done is splitting the password field into a fixed-length OTP and a >password.
I use a ssh tunnel for access to dovecot, with the same username via bsdauth. Not exactly two factor at the account level but even more secure IMO and ssh has two factor ability now too. I tried but abandoned switching to client tls certs as keeping tunnels or vpns open isn't so great on mobile for notifications and ensuring clients trust one CA, especially on mobiles is impossible? Nowadays, without writing your own client (all use android trust store?!) Note: bsdauth may be being removed by dovecot, annoyingly. http://openbsd-archive.7691.n7.nabble.com/bsdauth-being-removed-from-Dovecot-td387268.html