On 7/1/22 1:02 PM, Jochen Bern wrote:> On 27.06.22 00:52, Steve Dondley wrote:
>> I have a small client whose insurance company insists they have MFA
>> for their email to be covered under some kind of data protection
policy.
> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH),
> POP, and IMAP protocol definitions do not provide elbow room to make
> *two* rounds of authentication.
What Jochen said.
The protocols were designed long before SAML and OIDC. SAML/OIDC give
you more control over authn/z
and allow easily adding in MFA or other different types of auth. To do
this right, you'd need to extend
the protocol to allow OIDC or SAML.
As some have noted, you can shoehorn it in. But I would not recommend
doing that. Adding security
as a bolt-on ad hoc usually has holes.
But if you really wanted to do this, I'd suggest something like:
* Extend dovecot to use an OIDC access token instead of a
username/password.
* Set up an IDP with your connection, defining credentials as well as
MFA info
* Set up the IDP with an API - this is the API for generating the
access token used by dovecot
* Extend Thunderbird or your mail app to use the IDP to get the access
token, then use that to connect to Dovecot.
So this sounds kind of cool to me. If you want a little help setting it
up with Auth0, ping me off list.
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220703/5e53e053/attachment.htm>