> On August 31, 2017 at 12:41 AM Raymond Sellars > <raymond.sell...@orionhealth.com> wrote: > > > Hi > > Looking for some confirmation/direction on how to achieve the following. > > We have a requirement to support both SASL PLAIN and DIGEST-MD5 > authentication (certification reasons). In addition to this we have an > application (webmail) that utilises a master password pattern for access, as > the contain web portal provides the necessary authentication. > > I have access to users passwords in PLAIN text and looking to utilise the > dict lookup mechanism for passwords. > > Problem #1 > > https://wiki2.dovecot.org/Authentication/MultipleDatabases - "Currently the > fallback works only with the PLAIN authentication mechanism." > > The above not suggests I can't use DIGEST-MD5 with master password > configuration, if using more than one passdb setup. I don't understand why > there would be a restriction as the password validation should just fall > through irrespective. >
Because CRAM-MD5 is bothersome. Do you really need it? It's not really necessary with SSL. > Problem #2 How do I enforce some kind of account access policy > > Currently we're backing the authentication with an Identity and > Authentication system. I would like to block IMAP access if a user's account > is locked out, expired, or inactive. Similarly if there are too many IMAP > attempts with the incorrect password I would like the account system wide to > be locked out. > > With Dict lookup I don't seem a mechanism to keep the IDM system aware of > login attempt/failures, since it pulls the plaintext password and validates > internally. Is this possible? > > As a worse case does Dovecot implement any type of account access policies? > Out IT security reviewers are hot on account policies, i.e. lockouts, > expiries, and back off attempts. > You can use https://wiki2.dovecot.org/Authentication/Policy to implement complex requirements. other than that, dovecot will deter brute force on it's own to some degree. > Thanks > Raymond > Solution Architect - Orion Health Aki Tuomi Dovecot oy
