Sv: 2FA/MFA with IMAP & postfix/submission

Aki Tuomi aki.tuomi at open-xchange.com
Thu Jul 15 08:26:55 EEST 2021 

Unfortunately the best way to do multifactor authentication today is to use OAUTH2, which isn't currently supported for own installations. Or you can use client certs.

If you want to use some kind of MFA with tokens, you end up having to feed your token all the time. So the best option, for now, is device passwords.

Aki

> On 15/07/2021 08:18 Sebastian <sebastian at sebbe.eu> wrote:
> 
>  
> Main problem is that not many clients do natively support multifactor.
> Some clients, do popup a login dialog if the server rejects the password as invalid, which can be used to create a "cheaty variant" of multifactor, but some clients just popup an error dialog and tell the user to just correct password in settings.
> Some clients even go as long as requiring the user to delete the account with wrong password and set up a new connection.
> 
> So no, it cannot be relied upon.
> 
> I have a better idea:
> Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account.
> Or perhaps, just "set" the country of the account based on GeoIP.
> 
> When an account tries to login via IMAP or SMTP, you just check if IP and/or GeoIP country is right, and reject the login as invalid if so not.
> 
> The only thing a client needs to do to get his IMAP or SMTP client to work again if it stops working, is to login once via the web client.
> 
> -----Ursprungligt meddelande-----
> Från: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> För Alex
> Skickat: den 15 juli 2021 02:10
> Till: dovecot at dovecot.org
> Ämne: 2FA/MFA with IMAP & postfix/submission
> 
> Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred
> IMAP4 accounts, as well as postfix users using submission. Clients are
> using primarily Outlook on Windows and old squirrelmail.
> 
> Are there multi-factor options available?
> 
> If it is not available, do you have any recommendations on where I
> should look to do this?
> 
> All of the links related to this topic appear to be very old, or
> limited to Linux PAM users.

More information about the dovecot mailing list