The thing is, that people must stop expecting "being able to access mail
whenever you are" without extra steps.
Best solution is to offer a webmail with TOTP or SQRL or similiar secure auth
method.
Then have that webmail adds IP or country into trusted list, so if you want to
access IMAP mail or SMTP mail from hotel wifi, you have to simply do one single
login to webmail, and then your IMAP/SMTP will work as usual.
The problem with certificates, is as I said, not many clients support them.
Outlook support them natively, I don't know if Windows Mail support them,
and I don't know if Samsung Mail do support them (maybe they do support
client certificates in Enterprise mode, but then you need a license for that),
K9 mail I know support them, other built-in email clients I don't know if
they support client certificates.
The solution I have on my email is a OpenVPN connection to my server, which is
protected. My phone has a 24/7 connection to that VPN server, and thus im able
to lock out all logins outside from VPN.
-----Ursprungligt meddelande-----
Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r
@lbutlr
Skickat: den 15 juli 2021 18:37
Till: dovecot mailing list <dovecot at dovecot.org>
?mne: Re: 2FA/MFA with IMAP & postfix/submission
On 2021 Jul 15, at 08:52, Alex <mysqlstudent at gmail.com>
wrote:> Client certs appears to be a good solution.
A solution, certainly. A GOOD solution? Not really.
> What's the process for managing them with more than a hundred client
accounts?
And that's the first issue.
The second issue is "my primary device is not available, I need to login
from this other computer or use my phone which is unsuitable for this task. Too
bad I have no choice but to use the phone because this computer doesn?t have the
cert."
And then you have the "now that I've installed this cert, theis
computer is considered trusted" which is another issue.
2FA is a lot more flexible and robust.
OATH works well. SQRL looks promising though it requires a web UI I to do the
authentication (and SQRL does away with passwords as well).
> I believe the problem they are trying to solve is hacked accounts from
> compromised passwords. Does client certs solve that problem?
Maybe. Depends on if the hacker can get access to the user's machine or not.
> Perhaps there are dovecot (and postfix submission) options to at least
> restrict access by IP?
It is certainly possible in Postfix, but that opens up its own issues. It may be
acceptable in some corporate environs, but in most situations being able to
access your email wherever you are is a requirement.
--
The wages of sin is death, but so is the salary of virtue, and at
least the evil get to go home early on Fridays. --Witches Abroad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5715 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210715/34ab7b80/attachment.p7s>