Am 10.03.2013 11:28, schrieb dovecot.pk...@dfgh.net: > Dear Dovecot experts, > > we have unusual authentication requirements, namely: > > - almost all of our user are using a smartcard to connect > with our mailserver. Thunderbird is our friend here as it will > use the smartcard as an additional certificate store and > Thunderbird will do client certificate based authentication > when connecting via SSL with a mailserver > > - there's no way (at least that I know of) for our iPad users > to use a smartcard, so our iPad and iPhone users use > OTP token (http://www.gooze.eu/catalog/otp-tokens-oath-0) > > For 10 years we are using a very simple POP3-server where > I replaced the authentication routines with my own functions > and these function are doing the following: > > 1) if the connection was made without SSL refuse to connect > 2) if the client was using a client certificate extract the username > from the certificate. Since we cannot stop Thunderbird from > sending a username/passowrd-combination we compare the > username from the certificate with the username Thunderbird has > sent. If the usernames matches we allow access and ignore > the password. > 3) if the client did not sent a client certificate we calculate the > current OneTimePassword of the users OTP-token and compare > that with the password Thunderbird has sent. If the passwords matches > we allow access. If a OTP-password was validated it can be used > for 24 hours so our OTP-users must use their tokens only once a day. > > Now we would like to switch from POP3 to IMAP, so here are my > questions: > > - can Dovecot be CONFIGURED to do the above. I compiled it yesterday > and SSL client authentication works as expected. OTP seems to be > supported via PAM and I can write a PAM-modul for our OTP-tokens, > so OTP would be possible too. But how do I tell Dovecot to do > OTP-auth as a fallback for ClientCert-auth. > > - I already looked into the sourcecode of Dovecot. Seems like all the > authentication routines were built as pluggable modules. Is there any > documentation out there on how how to built my own auth-module. > Integrating the OTP-auth directly into Dovecot would be a lot > easier (for me) than creating a PAM-module, so I would prefer that. > If there was interest from other people I would add some configuration > options to Dovecot (for example the location of the OTP-token list). > Otherwise I would just hardcode everything into the source. > > Peter >
try read http://wiki2.dovecot.org/PasswordDatabase/PAM ... This can be useful with e.g. pam_opie to find out which one time password you're supposed to give: 1 LOGIN username otp 1 NO otp-md5 324 0x1578 ext, Response: ... Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich