On 2020-05-25, Darren S. <[email protected]> wrote: > OpenBSD 6.6 amd64 > OpenSMTPD 6.6.0 > Dovecot 2.3.9.3 (9f41b88fa) > login_duo 1.11.2 > > I'm working with an OpenSMTPD/Dovecot installation that will support > users authenticating over the internet and I'm curious if any form of > multi-factor authentication is possible for IMAP (and optionally, > SMTP).
No, this can't really work directly for IMAP (you could have a mechanism that uses a password and OTP together in the password field, but a typical client will make multiple connections at different times, so this won't work in a usable way). Current methods working something along these lines use OAuth2 - multi factor would be used when creating an access token (usually done via a web interface) and then an IMAP/SMTP client would use this for the normal logins. Dovecot supports this for IMAP - I haven't noticed any open source MTAs that do this for SMTP though (gmail offers it and it works in some MUAs). > Currently SMTP auth and Dovecot both authenticate users over TLS using > their system user passwords. I have also set up Duo MFA for sshd using > the login_duo package so admins can additionally authenticate with a > push notification to phone. > > Is there any sort of supported way of wiring up login_duo with > OpenSMTPD and Dovecot, or using bsdauth in some way to enforce a > second auth factor? bsdauth isn't really setup for multi factor, the only way I've seen this done is splitting the password field into a fixed-length OTP and a password.
