On 14-11-2021 13:56, Marc wrote:
Full access from any IP (except firehol-blacklist and fail2ban) is possible over VPN (openvpn) with MFA (privacyidea). Privacyidea also supplies a mobile-app compatible with a.o. TOTP and HOTP but it provides a more secure way of enrollment (2-step). How are you managing dns/clients etc so only the email traffic is goes through the vpn and no other traffic?
There are different use-cases:
Mobile(phone) users will use the externally exposed mail-ports, i.e. they have access from the geo-ip whitelist. This way the mail-app on the phone can be used easily.
Home or laptop users will use the VPN to get full-access through the VPN. I redirect DNS through the VPN (i.e. all queries) but not all other traffic (no default gateway change).
A last case not mentioned earlier is webmail, which is also hidden behind privacyidea MFA.
The policy is to use MFA when you first connect to the network from an untrusted location, the one exception is mail over 993/465 but instead that is limited by blacklists, geo-ip and fail2ban.
- Kees