Application Specific Passwords + Dovecot/Postfix/MySQL
I built my email server according to the most excellent Linode guide at:
I've pretty much followed the guide word for word and everything is working great!
Recently I found out about something called "Application Specific Passwords". Whats that I hear you say? Let me explain
Normally you have an account with one password. If you login to your webmail (via Roundcube for example) from an internet cafe, someone could be recording/logging your key strokes and after you have left the internet cafe, they could access your email…not good! One thing that does help is to use One Time Passwords (OTP). I use this in Roundcube so when I access my email from a browser I need my login credentials AND a OTP.
Thats all well and good except for one problem. Although using a OTP prevents a hacker from accessing my email from a browser…they can still access my email from an IMAP client (such as Thunderbird). This is where Application Specific Passwords (ASP) come in. You still have one username/account but you have multiple passwords. So I could have a password for my smartphone, Thunderbird etc but have a separate password for Roundcube. If anyone were to gain my Roundcube password it would be useless as it uses OTP and they wouldn't be able to use it for IMAP access as this service uses a separare password..GENIUS!
So I found an article describing how to implement Application Specific Passwords at:
I did try it out on my server and was able to login using the same account but with a different password (depending on the application) but I wasn't able to send email to internal users. ie: an email from
Here is what the log says when I sent an email internally to my own domain hosted on my server:
to=<user1@domain.com>, relay=mail.domain.com[private/dovecot-lmtp],
delay=0.08, delays=0.05/0.01/0/0.02, dsn=5.1.1, status=bounced (host
mail.domain.com[private/dovecot-lmtp] said: 550 5.1.1
<user1@domain.com>User doesn't exist: user1@domain.com (in reply to
RCPT TO command))</user1@domain.com></user1@domain.com>
Sorry for the long post but my ultimate question is:
How do I retrofit my server that was built using the Linode guide (quoted above) to use Application Specific Passwords with Dovecot/Postfix/MySQL? I created a new user database for my test but would like to use my existing user database if possible to use ASP.
Many thanks everyone and feel free to ask any questions if it'll will help answer the question!
2 Replies
Edit: After looking at your log message again, I'm no so sure my original thought is correct. Have you diagnosed the problem any further?