# Dovecot configuration (authentication)

## pa4wdh

Hi All,

I'm setting up  an email server, and so far everything looks good. I do have one challenge left with dovecot ....

For security i want to authenticate users with 2 factor authentication, so far i've setup pam to use the system password+google authenticator code and that works great when user a regular mail client like thunderbird.

The problem starts with two extra scenario's:

- I want to provide webmail.

- I have a few accounts that will be read automatically (by applications/scripts)

Webmail, in contrast to a normal email client, makes a new (imap) session for every time you request a page using the credentials you entered when you logged in. Of course due to the 2 factor authentication the password changes after some time, and the webmail session breaks.

For the automated accounts, i don't have the option to make them do 2 factor authentication.

I hoped to be able to solve this by making the authentication depend on the source of the request. Webmail always originates from localhost, and the automated accounts have fixed IP addresses, so they should than be able to use regular authentication. I haven't found any way to do that.

Does anyone have a solution for this problem ? I guess (and hope  :Smile:  ) i'm not the only one doing this  :Smile: 

Thanks in advance.

----------

## freke

There seems to be some plugin for Roundcube-webmail to make Google OTP work.

(might be other interesting stuff in the thread, too - didn't read it all through - not planning on implementing it on my mail-server right now)

https://forums.freebsd.org/viewtopic.php?f=43&t=45341

----------

## pa4wdh

Thanks for your reply Freke.

 *Quote:*   

> 
> 
> There seems to be some plugin for Roundcube-webmail to make Google OTP work.
> 
> 

 

I found that too, but that is the scenario where you want 2 factor authentication on roundcube, and having a single factor towards dovecot/postfix. I'm still stuck at making dovecot doing single factor authentication when the request comes from roundcube, while still using 2 factor authentication when the request comes from somewhere else.

 *Quote:*   

> 
> 
> (might be other interesting stuff in the thread, too - didn't read it all through - not planning on implementing it on my mail-server right now)
> 
> https://forums.freebsd.org/viewtopic.php?f=43&t=45341
> ...

 

Sure an interesting thread, i've scanned it a bit and it doesn't seem like something i can use, but i'll read it again when i have a bit more time to be sure.

----------

## pa4wdh

I got it working  :Smile: 

I'm running two dovecot instances now with different authentication configurations and different ports. The webmail uses the special configuration with single factor authentication, on the regular ports i'm using the 2 factor authentication. A firewall makes sure that only the one with 2 factor authentication is available from outside.

After that i used the the roudcube plugin mentioned in the thread Freke linked to which made the webmail itself perform 2 factor authentication.

----------

