Hi, My goal is to protect my mail account with 2FA, which isn't a crazy idea in 2020. Therefore, I would like to know the possibilities of configuring 2FA for Dovecot. In the documentation there are some hints of e.g. OTP in Dovecot [1] and using FreeIPA with Dovecot [2], where FreeIPA has the ability to enable OTP per user [3]. But I can't really find much practical information about such a setup. The documentation of Dovecot is quite silent about the OTP authentication mechanism and the same goes for the FreeIPA and Dovecot combination with OTP. So my question is; is this even a supported setup? And if so, where is the documentation? And if not, what's the recommended method to secure your mail setup? I can imagine alternative solutions like putting the submission and IMAP port behind a VPN and have all the clients use that VPN. And for the public internet, simply use a web interface (e.g. Nextcloud with Rainloop) which supports 2FA. But I prefer having OTP for e.g. Android and Linux clients. [1] https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/ [2] https://www.freeipa.org/page/Dovecot_Integration [3] https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 -- Met vriendelijke groet, Kees de Jong De informatie opgenomen in deze e-mail kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde(n). Indien u deze e-mail onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door de e-mail te retourneren. Aan deze e-mail inclusief de bijlagen kunnen geen rechten ontleend worden, tenzij schriftelijk anders wordt overeengekomen. -- The information contained in this e-mail may be confidential and is intended to be exclusively for the addressee(s). Should you receive this e-mail unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. This e-mail including the attachments are not legally binding, unless otherwise agreed upon in writing. -- OpenPGP fingerprint: 0x0E45C98AB51428E6 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <https://dovecot.org/pipermail/dovecot/attachments/20200106/da4a23c3/attachment.sig>
You don't say what sort of 2FA you're considering, but wouldn't you just tell Dovecot to use PAM, and then extend PAM to use a 2FA module. For example there's a Google Auth one available in the second link below. https://doc.dovecot.org/configuration_manual/authentication/pam/ https://github.com/google/google-authenticator-libpam P. (Not a dovecot expert, although I know a fair amount about Linux) On 06/01/2020 19.58, Kees de Jong wrote:> My goal is to protect my mail account with 2FA, which isn't a crazy > idea in 2020. Therefore, I would like to know the possibilities of > configuring 2FA for Dovecot. In the documentation there are some hints > of e.g. OTP in Dovecot [1] and using FreeIPA with Dovecot [2], where > FreeIPA has the ability to enable OTP per user [3]. > > But I can't really find much practical information about such a setup. > The documentation of Dovecot is quite silent about the OTP > authentication mechanism and the same goes for the FreeIPA and Dovecot > combination with OTP. > > So my question is; is this even a supported setup? And if so, where is > the documentation? And if not, what's the recommended method to secure > your mail setup?-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20200107/a9cf57e9/attachment.sig>
Plutocrat skrev den 2020-01-07 03:33:> https://doc.dovecot.org/configuration_manual/authentication/pam/ > https://github.com/google/google-authenticator-libpamit scales not very well to limit 2fa to only pam users, dovecot support many other auth backends and imho dovecot should never use 2fa, but it could and imho should be done in dovecot auth backend if possible to keep control where it belongs if 2fa solve week passwords then 2fa is not needed, so keep it simple :=) strong passwords is not a solution to leaked passwords, in that case its could help with 2fa fun part there is nets that control visa cards auth cant make a policy that sms verify must be done on every transfer of money, only solution there is to change to master card and enable geolocation block of all until one self like to use our own master cards, i dont trust email auth to be better
Kees de Jong wrote on 06/01/2020 12:58:> My goal is to protect my mail account with 2FA, which isn't a crazy > idea in 2020. Therefore, I would like to know the possibilities of > configuring 2FA for Dovecot.Use an authentication backend that supports 2FA, such as oAuth: https://wiki.dovecot.org/PasswordDatabase/oauth2 -- Ciao, luigi / +--[Luigi Rosa]-- \
I block all my email ports except 25 from countries where I am not going to be sending or receiving email. I also block many datacenters, but blocking Digital Ocean, Vultur and AWS will get you 90%of the way there. You will need to use 587, that is no auth on 25. Again no blocking on 25, just block the other email ports. I get maybe one attempt to log into my email account a week. Yeah not as good as 2FA but it isn't a research project either. Just a little firewall programming. I get the CIDRs from bgp.he.net. I am assuming this is a personal server. A bit extreme, but you could set up a VPN on a VPS and only allow that IP to send and receive email. ? Original Message ? From: lists at luigirosa.com Sent: January 7, 2020 12:29 AM To: dovecot at dovecot.org Subject: Re: 2FA for Dovecot Kees de Jong wrote on 06/01/2020 12:58:> My goal is to protect my mail account with 2FA, which isn't a crazy > idea in 2020. Therefore, I would like to know the possibilities of > configuring 2FA for Dovecot.Use an authentication backend that supports 2FA, such as oAuth: https://wiki.dovecot.org/PasswordDatabase/oauth2 -- Ciao, luigi / +--[Luigi Rosa]-- \