How to Configure Roundcube/Dovecot for *Effective* 2-Factor Authentication

Question

There are several Roundcube plugins that provide two-factor authentication. However, the issue I now see is that I can still simply log in via IMAP/SMTP, without 2-FA (obviously). 2-FA is (effectively) useless here.

I thought I could solve this problem by introducing application-specific passwords and doing something similar as Google is also doing with their 2-FA and applications that don't support it.

Now I thought I could automatically generate an app-specific password for Roundcube for each user, which is different to the one used to login to the Roundcube web interface. The result would be that the user can still have their own password + 2-FA for logging in to Roundcube but the same password can't be used for IMAP/SMTP directly. However, I cannot seem to find a way to configure Roundcube to use a different IMAP password to the one used to log into the web interface.

Both Roundcube and Dovecot are running on the same machine.

Am I missing something here? Is what I am doing sensible? This seems like a problem which could be solvable in a more elegant manner than what I'm attempting, so am I missing something there? All I really want is 2-FA authentication wherever possible and application-specific passwords everywhere else.

Thank you!

Answer 1

After trying around some more I found two reasonable solutions/workarounds, at least for this simple case.

Option 1: using allow_nets. Dovecot allows for various extra fields to be returned by the passdb, including 'allow_nets' (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets). By setting allow_nets to 127.0.0.1 for the password that is to be used by Roundcube any login attempts from other sources will fail. If Roundcube is on a different machine the IP will need to be adjusted, obviously. Problems with this approach are non-static IP addresses and if users have other non 2-FA ways to log in via e.g. a proxy running on the same machine as Roundcube.

Option 2: Using CheckPassword to write a custom authentication script. Using the checkpassword driver (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) for the passdb allows for a custom authentication script to be written. You can check the client IP in there or do something entirely different. Possible issues here are performance and you might need some extra configuration for user lookups, as checkpassword doesn't support user lookups. Also, the problem of verifying how the user is actually trying to log in remains.