Sv: 2FA/MFA with IMAP & postfix/submission

Michael Peddemors michael at linuxmagic.com
Thu Jul 15 18:21:18 EEST 2021 

On 2021-07-15 8:07 a.m., Laura Smith wrote:
> 
>> Perhaps there are dovecot (and postfix submission) options to at least restrict access by IP?
> 
> Restricting by IP is soon going to become very tedious, especially if you are dealing with more than a small number of users, and especially once post-COVID travel comes back and people start connecting from random hotels and airport lounges.
> 
> If you don't fancy the idea of client certs, the alternative I would suggest instead of IP limiting would be a Wireguard VPN instead of IP limiting.
> 
> Wireguard VPN servers run very quiet and won't respond to anything unless a client sends the right parameters.
> 
> Of course the downside of a VPN compared to certificates is that the user will have to be aware and know how to manage a VPN, whilst with certificates it can all be quietly done in the background.
> 

And of course, you can always do..


     submission inet n       -       y       -       -       smtpd
       -o smtpd_tls_security_level=encrypt
       -o smtpd_sasl_auth_enable=yes
       -o smtpd_delay_reject=no
       -o { smtpd_client_restrictions = reject_rbl_client 
auth.spamrats.com=127.0.0.39, permit }
       -o { smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject }

Pick your favourite RBL's.. And do suggest that based on our threat 
teams' research, block AUTH from many of the cloud providers IP Space, 
several RBL's out there make it easy..

And/or, you can create your own lists, Amazon/Google/Azure all list 
their IP space publicly..

Just remember, use your own DNS servers, or upstream DNS servers, and 
NOT open resolvers such as Google's 8.8.8.8, as most RBL's block queries 
from those..


-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

More information about the dovecot mailing list