2FA for Dovecot

[Michael Peddemors]

Happy New Year all..

Still awaiting the merge of our variable capabilities patch.. once that 
is out, we can release the plugin for CLIENTID which can do all your 2FA 
for you as well..

Looking forward to a great 2020.  Also be aware, the last two (2) months 
have seen a significant increase in brute force attacks against IMAP 
servers.. mostly using variations of older data breach passwords..

Make sure you have some form of 'weak password' detection in place.

Also, the sheer size of the botnets (IoT devices) means increased loads 
on your servers, so seriously consider country AUTH blocking, if your 
users don't need to log in from foreign countries, if you haven't already..

"MaxMind" makes that very easy, just be aware that they have changed 
some policies.. make sure you give them acreditation where due.

A lot of the attacks are against NON-TLS/SSL ports, but everyone should 
slowly move to simply blocking Port 110/143 AUTH attempts, if you really 
want to protect your users.

  AUTH failure: 'michael at linuxmagic.com' CLIENTID enforced and missing 
CLIENTID or CLIENTID_TYPE rip=61.148.29.198 (CN) lip=192.168.0.204:143 
(NON-TLS)

On 2020-01-07 12:43 a.m., lists wrote:
> I block all my email ports except 25 from countries where I am not going to be sending or receiving email. I also block many datacenters, but blocking Digital Ocean, Vultur and AWS will get you 90%of the way there. You will need to use 587, that is no auth on 25. Again no blocking on 25, just block the other email ports.
> 
> I get maybe one attempt to log into my email account a week. Yeah not as good as 2FA but it isn't a research project either. Just a little firewall programming. I get the CIDRs from bgp.he.net.
> 
> I am assuming this is a personal server.
> 
> A bit extreme, but you could set up a VPN on a VPS and only allow that IP to send and receive email.
> 
> 
> 
> 
>    Original Message
> 
> 
> From: lists at luigirosa.com
> Sent: January 7, 2020 12:29 AM
> To: dovecot at dovecot.org
> Subject: Re: 2FA for Dovecot
> 
> 
> Kees de Jong wrote on 06/01/2020 12:58:
> 
>> My goal is to protect my mail account with 2FA, which isn't a crazy
>> idea in 2020. Therefore, I would like to know the possibilities of
>> configuring 2FA for Dovecot.
> 
> Use an authentication backend that supports 2FA, such as oAuth:
> 
> https://wiki.dovecot.org/PasswordDatabase/oauth2
> 
> 
> 
> --
> 
> 
> Ciao,
> luigi
> 
> /
> +--[Luigi Rosa]--
> \
> 



-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.