No way to separate static login password from IMAP user password

[danielkr123]

Dear all,

I installed the plugin and it is working great. However, there is no way to separate the static login password from the IMAP user password. Hence if somebody would get to know my static password he could simply bypass the 2FA by connecting directly to the IMAP server.

The only effective way I could think of is separating the IMAP and the Roundcube login password:

• User logs in with static roundcube and dynamic 2FA password. He can then set a different IMAP password in the settings menu

Do I get something wrong?

Best regards, Daniel

[northox]

Hello Daniel, sorry for the delay - bad timing for me.

If you expose IMAP (e.g. dovecot), I suggest applying the 2nd factor directly on your authentication mechanism (e.g. sasl, pam) in which case you wouldn't need this plugin.

Roundcube needs the IMAP password as it's simply acting as an IMAP client. So for your proposal to work we would need to store your roundcube specific hashed-password in a database and associated IMAP password - maybe encrypted with your roundcube password to avoid being stored in clear text. I guess that's all possible but unfortunately I stopped developing this plugin. I'm open to pull requests.

regards,