Quoting Jochen Bern <Jochen.Bern@binect.de>:
On 27.06.22 00:52, Steve Dondley wrote:
I have a small client whose insurance company insists they have MFA
for their email to be covered under some kind of data protection
policy. Currently I have the client set up on a Debian box for the
email server coupled with roundcube for webmail. Most the users
just use roundcube but some also use their mobile devices to check
email. Maybe one person uses outlook. There’s about 5 to 10 users
total.I know roundcube offers a MFA plugin. But I don’t have the foggiest
idea how of an iPhone, Android device, or Outlook could all be set
up to work with MFA with a standard dovecot/postfix setup. Are
there any practical solutions for easily implementing MFA that
could work across multiple devices?*Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH),
POP, and IMAP protocol definitions do not provide elbow room to make
*two* rounds of authentication. (Ever pondered why the admin can
require O365 users to "use 2FA", but users then are still allowed to
create "application passwords", note plural and lack of standard
password features like a limited lifetime for those?)
I implemented PrivacyIdea as a backend auth mechanism for dovecot once
in the past.
I honestly don't recall the details, and I wasn't sure how to do it
dynamically with multiple domans, but one domain worked fine. It was
due to the PI 'realm' separator being @, and using full email
addresses for the username.
I believed I used OTP for the user's webmail password and 'device
password' for imap/smtp.
Rick