Hi Robert 2013/3/10 Robert Schetterer - r...@sys4.de < dovecot.pkoch.74fa2fe130.rs#sys4...@ob.0sg.net>
> try read > > http://wiki2.dovecot.org/PasswordDatabase/PAM > > ... > This can be useful with e.g. pam_opie to find out which one time > password you're supposed to give: > > 1 LOGIN username otp > 1 NO otp-md5 324 0x1578 ext, Response: > I don't worry about how to use Dovecot with either SSL Client-Certitifaces or our OTP-token. SSL ClientCerts do work as expected and using our token is just a matter of finding the right PAM-module. pam_opie is the wrong module as OPIE is a method to pregenerate a list of One Time Passwords in software. What we are using is a hardware token that generates One Time Password as described in RFC 4226. There are PAM-modules out there that might do the job but since I have implemented the algorithm already into our POP3-server I could built a PAM-module myself. What I would like to know in advance is: How do I configure Dovecot such that SSL Client-Auth is used with priority 1 and OTP-auth is used only for SSL-connections without a ClientCert. Non-SSL connections should not be allowed at all. If that combination was not possible I'm hoping to get some hints on how to change the Dovecot source. Kind regards Peter