>> I don't think so, but as I said, I could be wrong. > > I think you are. WHY don't you think so? If imapproxy decides it's > time to release the user's login session (sure, this depends on a > number of factors in the configuration of all the tools involved - > imapproxy, SM, PHP), the password is lost and your webmail session > dies unexpectedly. If you have enough idle time configured into > everything and auto folder list refresh turned on, you might be able > to get away with it, but this relies on a user config setting (folder > refresh), which isn't ideal. ahh, you are correct - I mis-read your post (sorry - too many windows open literally and figuratively). Imapproxy will time out a session forcing you to generate a new OTP. However, I view that as a security feature and not as a problem. If you need two-factor authentication for webmail you also want to time-out the sessions - and so it should not be "unexpected". > >> N.B: the version in the how-to uses radius, which is not part of the >> open source Community Version. However, we have a PHP network client >> that could be integrated with the Community version. Also, since I >> wrote that how-to for SM, we have added mutual https authentication >> that prevents network-based MITM attacks by validating the ssl cert >> for the user. You can find out more about that >> here:http://www.wikidsystems.com/learn-more/technology/mutual_authentication. > > Keep up the great work! Thanks! > > >>>>> OR are there other suggestions? TIA >>>> >>>> A plugin hooked into the logout page of SquirrelMail could be used to >>>> create a new password if the system allows it, but I don't have any >>>> suggestions right now on how to do that in practise. >>> >>> I actually have a plugin sitting around that creates OTPs from within >>> the SM interface (they are ONLY *SquirrelMail* OTPs); the somewhat >>> insecure part of the puzzle being that SM actually takes the user's >>> real password and stores it in an encrypted file. The encryption is >>> decent (any mcrypt-supported algorithm works), but it's still always >>> an iffy proposition for an application to store user passwords. This >>> particular plugin is years old and needs a lot of face-lifting before >>> it would be ready for use. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ----- > squirrelmail-users mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user > List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
