Hi, Further to the other thread about password guessing activities against our dovecot, I would like to implement application specific passwords on our dovecot. Googling results in some documents, but they are all a bit older:> https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/> https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot> http://www.justinbuchanan.com/blog/category/RoundCube> http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-PostfixThose articles are interesting, but also rather old. (I realse that this does not neccesarily mean: irrelevant or bad) Is there anone here with some additional notes, ideas, tips, trics on setting up application specific passwords with dovecot with virtual users? We are using samba AD as an authentication backend. MJ
Quoting mj <lists at merit.unu.edu>:> Hi, > > Further to the other thread about password guessing activities > against our dovecot, I would like to implement application specific > passwords on our dovecot. > > Googling results in some documents, but they are all a bit older: > >> https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/ > >> https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot > >> http://www.justinbuchanan.com/blog/category/RoundCube > >> http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix > > Those articles are interesting, but also rather old. (I realse that > this does not neccesarily mean: irrelevant or bad) > > Is there anone here with some additional notes, ideas, tips, trics > on setting up application specific passwords with dovecot with > virtual users? We are using samba AD as an authentication backend. > MJI'm working on PrivacyIdea (PI) integration for 2FA.? The reason I mention this for app passwords is because PI allows multiple 'tokens' that aren't just for 2FA.? This would allow you give your users a web portal to create 'password' (SPASS) tokens - using their AD pass to auth to the portal. Then using PAM Radius, Dovecot can auth against the multiple password tokens. Personally - I'm not too thrilled about having users have multiple passwords for IMAP - BUT if you're trying to protect the AD password, this would be a method of isolating AD away.? You can set PI to fall back to the AD password if the user doesn't have a token, so integration is pretty seamless. You can also do some fancy policy-based token matching to require 2FA for say - webmail - and allow SPASS for POP/IMAP.? This is what I'm aiming for, but I've had issues with the webmail client portion (user using 2FA, and IMAP being hardcoded) and haven't gotten back to it to truely guide anyone else through it. Rick
Hi, mj * mj [2017-07-20 13:29]:> Hi, > > Further to the other thread about password guessing activities against our > dovecot, I would like to implement application specific passwords on our > dovecot.[...]> > Is there anone here with some additional notes, ideas, tips, trics on > setting up application specific passwords with dovecot with virtual users? > We are using samba AD as an authentication backend.I'm not familiar with samba AD and with it's features and limitation. For my simple system I'm using plain files for passdb and userdb (aka. passwd-file). Application (or rather device) specific passwords are implementing by using having an additional "username" with a specific password for a particular application or device. E.g. some entries for myself: bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M The files are generated automatically from a Single Source of Truth. In my case I'm selecting the username myself, but there's nothing preventing you from generating a username/password combination for your users. Note that in my setup users will have application specific username and password, not only application specific password. It was easier to implement it quickly this way. Greetz Kirill -- -- Kirill Miazine <km at krot.org>
Hi, Let me ask a more specific question. What I would like to configure, is: - for our internal users to use their regular AD usernam/passwords, just as everybody can currently do. but, new: - for external users, to ONLY be allowed to use an application specific password. (or username and password, fine as well) Step one: making ldap password authentication valid only from our internal network. I though: using allow_nets=192.168.1.0/24 for that passdb But I can't get that to work. :-( Unsure where exactly to define the allow_nets, tried many variations on the theme already. Perhaps someone can help with the step one, and also tell me if the approach outlined above is smart, valid and do-able in dovecot. Here are our sanitised configs:> root at mails:/etc/dovecot# doveconf -n > # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.16 (fed8554) > # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs > auth_debug = yes > auth_failure_delay = 2 secs > auth_master_user_separator = * > auth_mechanisms = plain login > auth_username_format = %Ln > auth_verbose = yes > auth_verbose_passwords = plain > debug_log_path = /var/log/dovecot/dovecot.debug > deliver_log_format = %f | %s | msgid=%m: %$ > disable_plaintext_auth = no > info_log_path = /var/log/dovecot/dovecot.info > lda_mailbox_autocreate = yes > lda_mailbox_autosubscribe = yes > log_path = /var/log/dovecot/dovecot.err > login_greeting = Dovecot ready. > mail_gid = vmail > mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir > mail_plugins = acl lazy_expunge zlib quota mail_log notify > mail_uid = vmail > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave > namespace { > list = children > location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u > prefix = shared/%%n/ > separator = / > subscriptions = no > type = shared > } > namespace inbox { > inbox = yes > location = > mailbox "Deleted items" { > special_use = \Trash > } > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent items" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > mailbox inbox { > auto = subscribe > } > prefix = > separator = / > type = private > } > passdb { > args = /etc/dovecot/master-users > driver = passwd-file > master = yes > } > passdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > skip = authenticated > } > plugin { > acl = vfile > acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db > mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append > mail_log_fields = uid box msgid from subject > quota = maildir > quota_rule = ?:storage=5G > quota_rule2 = Trash:storage=+100M > quota_warning = storage=97%% quota-warning 97 %u > quota_warning2 = storage=95%% quota-warning 95 %u > quota_warning3 = storage=90%% quota-warning 90 %u > quota_warning4 = storage=85%% quota-warning 85 %u > quota_warning5 = storage=80%% quota-warning 80 %u > quota_warning6 = -storage=100%% quota-warning below %u > sieve = ~/.dovecot.sieve > sieve_default = /var/lib/dovecot/default.sieve > sieve_dir = ~/sieve > } > protocols = imap lmtp sieve > service auth { > unix_listener /var/spool/postfix/private/auth { > mode = 0666 > } > unix_listener auth-userdb { > group = vmail > mode = 0666 > user = vmail > } > } > service imap-login { > process_limit = 500 > process_min_avail = 2 > } > service quota-warning { > executable = script /usr/local/bin/quota-warning.sh > unix_listener quota-warning { > user = vmail > } > user = dovecot > } > ssl_ca = </etc/ssl/comodo/chain.crt > ssl_cert = </etc/ssl/comodo/server.crt > ssl_key = # hidden, use -P to show it > ssl_protocols = !SSLv2 !SSLv3 > userdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > verbose_proctitle = yes > protocol lda { > mail_plugins = acl lazy_expunge zlib quota mail_log notify sieve quota > } > protocol imap { > imap_max_line_length = 2 M > mail_max_userip_connections = 30 > mail_plugins = acl lazy_expunge zlib quota mail_log notify imap_quota imap_acl > }and our dovecot-ldap.conf.ext:> hosts = ldap1 ldap2 ldap3 > dn = cn=search,cn=.... > dnpass = secretashell > tls = no > debug_level = 0 > auth_bind = yes > base = CN=Users, DC=..... > scope = subtree > user_attrs = =home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,allow_nets=192.168.1.0/24 > user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) > pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) > iterate_attrs = sAMAccountName=user > iterate_filter = (objectClass=person)MJ
Hi Kirill, Thanks for your reply. Such a simple flat file approach would be perfect, and I don't mind at all to require app specific usernames *and* passwords. However, I am unsure how to combine your recipe below with our regular AD userdb/passdb. Perhaps someone can give me some pointers in that direction? MJ On 07/20/2017 06:50 PM, Kirill Miazine wrote:> I'm not familiar with samba AD and with it's features and limitation. > For my simple system I'm using plain files for passdb and userdb (aka. > passwd-file). Application (or rather device) specific passwords are > implementing by using having an additional "username" with a specific > password for a particular application or device. E.g. some entries for > myself: > > bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M > kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M > sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M > workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M > > The files are generated automatically from a Single Source of Truth. > > In my case I'm selecting the username myself, but there's nothing > preventing you from generating a username/password combination for your > users. > > Note that in my setup users will have application specific username and > password, not only application specific password. It was easier to > implement it quickly this way. > > Greetz > Kirill >