# OTP for Dovecot and Postfix



## xy16644 (Mar 8, 2014)

I want to ensure that the services I have enabled on my server are secure, even when accessing them from (say) an Internet cafe when travelling.

For Roundcube I was going to implement OpenOTP with Google Authenticator. This provides me with two-factor authentication. There's just one problem. If I login to Roundcube at an Internet cafe and someone captures my password, they can't use it to login to Roundcube again (as the OTP would have changed) but they COULD use that captured password for other mail services on the same server such as IMAP (Dovecot) and SMTP (Postfix). Therefore, can anyone recommend a way to secure IMAP/SMTP (Dovecot/Postfix) using two-factor authentication; is this possible? Or should I be looking at other options (i.e.: OTP is not the solution)? Client certificates (X509)?

Whatever solution I use needs to work with K9 email (on Android), Thunderbird and Outlook 2010.

Thanks!  :stud


----------



## xy16644 (Mar 9, 2014)

A bit of an update. I have installed the following plugin for Roundcube to enable OTP: https://github.com/alexandregz/twofactor_gauthenticator and I installed the Google Authenticator on my phone: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2. This is working really nicely! You can configure the plugin to force all users to use OTP or make it optional. I like the fact that no email is sent and no SMS/text is sent. The code is ON THE PHONE and NEVER contacts Google at all. This is all well except if someone uses a keylogger to record my Roundcube login credentials they can still login in via IMAP/SMTP using an email client (but not Roundcube obviously since that uses OTP now).

Is is possible with Dovecot/Postfix to have multiple passwords for one account in the MySQL database that stores them? I.e.: application specific passwords. I'd like to have two passwords for my account, one for Roundcube and one for Thunderbird/K9 email. Is this possible? This would solve all worries if someone were to record my Roundcube password and they wouldn't be able to use it with Roundcube again (as the OTP would have changed) and they couldn't use it with Thunderbird/K9 as there would be a separate password for these applications.

Can my account in MySQL have multiple passwords to do the above?


----------



## obsigna (Mar 9, 2014)

xy16644 said:
			
		

> ... Can my account in MySQL have multiple passwords to do the above?



There is a forum post about HTTP-Digest-Authentication for RoundCube with Dovecot/Postfix backend. When reading this post, replace in your mind every occurrence of HTTP-Digest by OTP, since the actual obstacle is the same, namely, how Roundcube knows from the HTTP-Digest in the first case or from the OTP in the second case the actual password for authentication against Dovecot SASL.

In said post and its follow-up the problem has been solved using the utility program vumap for mapping virtual users from a local secret master file to the different authentication stores for Dovecot, Postfix, and Roundcube. The given HTTP-Digest plugin for Roundcube then utilizes postmap(1) for looking-up the locally stored credentials in order to locally authenticate with Dovecot.

I assume, that it shall be easy to implement a similar thing into the OTP plugin. In effect, OTP authentication to Roundcube would be kept completely separate from the direct access credentials to Dovecot/Postfix.


----------



## xy16644 (Mar 9, 2014)

Thanks for the reply. I have read that post a few times before in the past (before I even built my new server) but I found it a bit difficult to follow.

After some more research I found this article which pretty much is what I am wanting to do: http://www.justinbuchanan.com/blog/...ecific-Passwords-for-Dovecot-and-Postfix.aspx. The only tricky bit is, trying to retrofit my current setup (MySQL and Dovecot) so that I can make use of Application Specific Passwords. In my setup, I use K9 mail on Android, Thunderbird email client and Roundcube for webmail. I'd (ultimately) like to have a password I use for K9 and Thunderbird but for webmail I would like a separate password so that if someone obtains my password from a keylogger at an Internet cafe, they can't use it for webmail (due to OTP) and they can't access IMAP/SMTP (since this will have a different password).

I wish I could contact the author as I have some questions and his contact page doesn't work.


----------



## xy16644 (May 5, 2014)

Maybe I should also ask this:

Can I have two factor authentication for Dovecot/IMAP?


----------



## ondra_knezour (May 5, 2014)

There are OTP and SCRYPT methods mentioned on the Dovecot wiki, but I didn't found any configuration example. However there is some code to look at, see http://hg.dovecot.org/dovecot-2.2/file/ ... mech-otp.c


----------



## xy16644 (May 5, 2014)

ondra_knezour said:
			
		

> There are OTP and SCRYPT methods mentioned on the Dovecot wiki, but I didn't found any configuration example. However there is some code to look at, see http://hg.dovecot.org/dovecot-2.2/file/ ... mech-otp.c



This guy seems to have what I am looking for:

http://blog.kevinvandervlist.nl/projects/roundcube-static-otp/


----------



## ondra_knezour (May 5, 2014)

See also security/pam_google_authenticator. Dovecot can use PAM modules for authentication, however their wiki says that only plaintext passwords can be used with PAM. I am little confused if that statement means, that you can not use only the challenge-response schemes (which is understandable, as there is AFAIK no way to ask PAM for challenge, send it to the user and return response to the PAM) or if it restricts available methods only to PLAIN and LOGIN. There is no reason why Dovecot can't say "Hello PAM, there is somebody at the doors who's name may be user and gives me 389219 as OTP, what do you think about it?" IMHO.


----------



## xy16644 (May 5, 2014)

ondra_knezour said:
			
		

> See also security/pam_google_authenticator. Dovecot can use PAM modules for authentication, however their wiki says that only plaintext passwords can be used with PAM. I am little confused if that statement means, that you can not use only the challenge-response schemes (which is understandable, as there is AFAIK no way to ask PAM for challenge, send it to the user and return response to the PAM) or if it restricts available methods only to PLAIN and LOGIN. There is no reason why Dovecot can't say "Hello PAM, there is somebody at the doors who's name may be user and gives me 389219 as OTP, what do you think about it?" IMHO.



I'm already using the Google Authenticator but thanks for the recommendation. The problem I am facing is that a OTP isn't going to secure access to my mailbox via IMAP.

Let me explain...

Lets assume I am going to use an internet cafe machine to login to my email using Roundcube and that there is a keylogger installed on the machine.

When I login to Roundcube, I enter my username and password as well as my OTP. All seems secure right? Well no. Roundcube is secure and the hacker that has my login credentials can NOT login. The problem is that they CAN use my login credentials to access my email via IMAP (ie: Thunderbird/K9/Outlook/etc)

So I am basically looking at a way to secure Roundcube when logging into it from an untrusted machine. 

Using a "throw away password" with OTP seems to be a good combination to me but I need to figure out how to implement it!


----------



## ondra_knezour (May 5, 2014)

Hm, what I would try to explore in your situation:
 - Can all my clients (including the IMAP ones like Thunderbird) use OTP and I don't consider it painful to enter it on each connection - remove other auth mechanisms (I also saw something about OTP valid for some period in some list, so you have to enter it only once per day for example).
 - Method one is not possible? Try to use certificates with other clients and OTP as fallback for the webmail.
 - Last resort solution - set up webmail to access your mailbox without login (e.g. hardcode your username/password somewhere etc.) and require the HTTP auth with some "nonexistent" username and OTP. For example the Apache httpd server can use either PAM module mentioned above or there is www/mod_authn_otp module.


----------



## obsigna (May 5, 2014)

xy16644 said:
			
		

> ...
> The problem I am facing is that a OTP isn't going to secure access to my mailbox via IMAP.
> 
> Let me explain...
> ...



Who told you, that you must use the same credentials for Roundcube as for IMAP?



			
				xy16644 said:
			
		

> So I am basically looking at a way to secure Roundcube when logging into it from an untrusted machine.



Simply use different credentials for Roundcube web login, and use other credentials with your MUAs.


----------



## xy16644 (May 6, 2014)

How can I have separate credentials for Roundcube and IMAP...AND have it so that the Roundcube credentials CAN'T be used with IMAP (and vice versa)?


----------



## obsigna (May 6, 2014)

xy16644 said:
			
		

> How can I have separate credentials for Roundcube and IMAP...AND have it so that the Roundcube credentials CAN'T be used with IMAP (and vice versa)?



See: http://trac.roundcube.net/wiki/Howto_Config#ConfiguringforVirtualUsers

Basically, in addition to having ... 





			
				xy16644 said:
			
		

> ... installed the following plugin for Roundcube to enable OTP: https://github.com/alexandregz/twofactor_gauthenticator ...


..., you would activate and set up the pre-installed Roundcube plugin virtuser_query. The user provides the Roundcube credentials via the web-interface, and the virtuser_query plugin looks up the real IMAP credentials in the database of the Dovecot users, and then Roundcube uses that for authentication against Dovecot. So, the real IMAP credentials never leave the server, and of course these may be different from the Roundcube credentials.


----------



## xy16644 (May 6, 2014)

I'm not sure how this helps snce you still have to type in a username/password at the Roundcube login screen (that can be recorded by a keylogger)? Doesn't this plugin just check the users password against a database that IMAP uses as well?


----------



## obsigna (May 6, 2014)

xy16644 said:
			
		

> I'm not sure how this helps snce you still have to type in a username/password at the Roundcube login screen (that can be recorded by a keylogger)? Doesn't this plugin just check the users password against a database that IMAP uses as well?



No, this plugin uses the Roundcube credentials for looking up the IMAP credentials. So Roundcube receives any unconfined credentials, uses this internally for looking up (query) the real IMAP credentials, and then it continues with the looked-up IMAP credential - and again, no, the keylogger won't see these looked-up real IMAP credentials under no circumstances, because these looked-up credentials will never leave the server.

I am not a native English speaker, however, I am sure that there is a difference between checking and looking-up, isn't there?


----------



## xy16644 (May 7, 2014)

Maybe I should approach this from a different angle.

Is there a guide (or recommended way) of setting up Dovecot/Postfix/Roundcube with OTP? 

What do other people do to secure their login credentials when using email (with Roundcube in particular) on an untrusted machine? Currently I have OTP setup for Roundcube only (using Google Authenticator) but nothing for Dovecot and Postfix.


----------

