Application Specific Passwords + Dovecot/Postfix/MySQL

Hello!

I built my email server according to the most excellent Linode guide at:

~~[https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql" target="_blank">](https://library.linode.com/email/postfi … 0.19-mysql">https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql](

I've pretty much followed the guide word for word and everything is working great!

Recently I found out about something called "Application Specific Passwords". Whats that I hear you say? Let me explain :D

Normally you have an account with one password. If you login to your webmail (via Roundcube for example) from an internet cafe, someone could be recording/logging your key strokes and after you have left the internet cafe, they could access your email…not good! One thing that does help is to use One Time Passwords (OTP). I use this in Roundcube so when I access my email from a browser I need my login credentials AND a OTP.

Thats all well and good except for one problem. Although using a OTP prevents a hacker from accessing my email from a browser…they can still access my email from an IMAP client (such as Thunderbird). This is where Application Specific Passwords (ASP) come in. You still have one username/account but you have multiple passwords. So I could have a password for my smartphone, Thunderbird etc but have a separate password for Roundcube. If anyone were to gain my Roundcube password it would be useless as it uses OTP and they wouldn't be able to use it for IMAP access as this service uses a separare password..GENIUS!

So I found an article describing how to implement Application Specific Passwords at:

~~[http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix.aspx" target="_blank">](http://www.justinbuchanan.com/blog/post … stfix.aspx">http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix.aspx](

I did try it out on my server and was able to login using the same account but with a different password (depending on the application) but I wasn't able to send email to internal users. ie: an email from user1@domain.com to user2@domain.com didn't work. Sending email externally worked fine.

Here is what the log says when I sent an email internally to my own domain hosted on my server:

to=<user1@domain.com>, relay=mail.domain.com[private/dovecot-lmtp], 
delay=0.08, delays=0.05/0.01/0/0.02, dsn=5.1.1, status=bounced (host 
mail.domain.com[private/dovecot-lmtp]  said: 550 5.1.1 
 <user1@domain.com>User doesn't exist: user1@domain.com (in reply to 
RCPT TO command))</user1@domain.com></user1@domain.com> 

Sorry for the long post but my ultimate question is:

How do I retrofit my server that was built using the Linode guide (quoted above) to use Application Specific Passwords with Dovecot/Postfix/MySQL? I created a new user database for my test but would like to use my existing user database if possible to use ASP.

Many thanks everyone and feel free to ask any questions if it'll will help answer the question! 8)

2 Replies

Did you ever make any headway on this?

Hey ya'll, I'm the author of the blog post referenced by the OP. The error message makes it seem like Postfix is not seeing you as an authenticated user, thus it's rejecting the relay request. Make certain your Postfix SASL authentication is configured to correctly authenticate through Dovecot as referenced in my post. Check out http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL.

Edit: After looking at your log message again, I'm no so sure my original thought is correct. Have you diagnosed the problem any further?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct