On 7/1/22 1:02 PM, Jochen Bern wrote:
On
27.06.22 00:52, Steve Dondley wrote:
I have a small client whose insurance
company insists they have MFA for their email to be covered
under some kind of data protection policy.
*Totally* theorizing here, but as far as I'm aware, the SMTP
(AUTH), POP, and IMAP protocol definitions do not provide elbow
room to make *two* rounds of authentication.
What Jochen said.
The protocols were designed long before SAML and OIDC. SAML/OIDC
give you more control over authn/z
and allow easily adding in MFA or other different types of auth. To
do this right, you'd need to extend
the protocol to allow OIDC or SAML.
As some have noted, you can shoehorn it in. But I would not
recommend doing that. Adding security
as a bolt-on ad hoc usually has holes.
But if you really wanted to do this, I'd suggest something like:
- Extend dovecot to use an OIDC access token instead of a
username/password.
- Set up an IDP with your connection, defining credentials as
well as MFA info
- Set up the IDP with an API - this is the API for generating
the access token used by dovecot
- Extend Thunderbird or your mail app to use the IDP to get the
access token, then use that to connect to Dovecot.
So this sounds kind of cool to me. If you want a little help
setting it up with Auth0, ping me off list.
John