2FA for Dovecot

Kees de Jong kees.dejong+dev at neobits.nl
Mon Jan 6 13:58:34 EET 2020 

Hi,



My goal is to protect my mail account with 2FA, which isn't a crazy
idea in 2020. Therefore, I would like to know the possibilities of
configuring 2FA for Dovecot. In the documentation there are some hints
of e.g. OTP in Dovecot [1] and using FreeIPA with Dovecot [2], where
FreeIPA has the ability to enable OTP per user [3].

But I can't really find much practical information about such a setup.
The documentation of Dovecot is quite silent about the OTP
authentication mechanism and the same goes for the FreeIPA and Dovecot
combination with OTP.

So my question is; is this even a supported setup? And if so, where is
the documentation? And if not, what's the recommended method to secure
your mail setup?

I can imagine alternative solutions like putting the submission and
IMAP port behind a VPN and have all the clients use that VPN. And for
the public internet, simply use a web interface (e.g. Nextcloud with
Rainloop) which supports 2FA. But I prefer having OTP for e.g. Android
and Linux clients.


[1] 
https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/
[2] https://www.freeipa.org/page/Dovecot_Integration
[3] 
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7



-- 
Met vriendelijke groet,
Kees de Jong

De informatie opgenomen in deze e-mail kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde(n). Indien u deze e-mail
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de
afzender direct te informeren door de e-mail te retourneren. Aan deze
e-mail inclusief de bijlagen kunnen geen rechten ontleend worden,
tenzij schriftelijk anders wordt overeengekomen.
--
The information contained in this e-mail may be confidential and is
intended to be exclusively for the addressee(s). Should you receive
this e-mail unintentionally, please do not use the contents herein and
notify the sender immediately by return e-mail. This e-mail including
the attachments are not legally binding, unless otherwise agreed upon
in writing.
--
OpenPGP fingerprint: 0x0E45C98AB51428E6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200106/da4a23c3/attachment.sig>

More information about the dovecot mailing list