Strategies for protecting IMAP (e.g. MFA)
Kees van Vloten
keesvanvloten at gmail.com
Sun Nov 14 13:14:18 UTC 2021
On 14-11-2021 13:56, Marc wrote:
>> Full access from any IP (except firehol-blacklist and fail2ban) is
>> possible over VPN (openvpn) with MFA (privacyidea).
>> Privacyidea also supplies a mobile-app compatible with a.o. TOTP and
>> HOTP but it provides a more secure way of enrollment (2-step).
> How are you managing dns/clients etc so only the email traffic is goes through the vpn and no other traffic?
There are different use-cases:
- Mobile(phone) users will use the externally exposed mail-ports, i.e.
they have access from the geo-ip whitelist. This way the mail-app on the
phone can be used easily.
- Home or laptop users will use the VPN to get full-access through the
VPN. I redirect DNS through the VPN (i.e. all queries) but not all other
traffic (no default gateway change).
- A last case not mentioned earlier is webmail, which is also hidden
behind privacyidea MFA.
The policy is to use MFA when you first connect to the network from an
untrusted location, the one exception is mail over 993/465 but instead
that is limited by blacklists, geo-ip and fail2ban.
- Kees
More information about the dovecot
mailing list