Sv: 2FA/MFA with IMAP & postfix/submission

Rick Romero rick at havokmon.com
Thu Jul 15 18:03:22 EEST 2021


  Quoting Alex <mysqlstudent at gmail.com>:

> Hi,
>
>> Unfortunately the best way to do multifactor authentication today  
>> is to use OAUTH2, which isn't currently supported for own  
>> installations. Or you can use client certs.
>>
>> If you want to use some kind of MFA with tokens, you end up having  
>> to feed your token all the time. So the best option, for now, is  
>> device passwords.
>
> Client certs appears to be a good solution.
>
> What's the process for managing them with more than a hundred client  
> accounts?
>
> I believe the problem they are trying to solve is hacked accounts from
> compromised passwords. Does client certs solve that problem?

Client certs would solve that - but you'll need some management around  
it (creation/deployment/renewal/device changes/etc). The easiest  
method is to run MDM and PKI infrastructure, but with 100 clients I  
kinda doubt that's in place and I wonder if they have the budget for it.

Another option, not open source, but if you engage Recorded Future,  
you can get a report and notifications of password compromises, and  
then take action on that info (ie, force affected user to change  
password).

Alternatively, and free, don't use the email address as the username  
for authenticaiton, use some other generic ID.

Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210715/232800cb/attachment-0001.html>


More information about the dovecot mailing list