Sv: 2FA/MFA with IMAP & postfix/submission

justina colmena ~biz justina at colmena.biz
Thu Jul 15 19:58:01 EEST 2021 

I think it's only 12 steps. There are people who need to sober up....

On July 15, 2021 8:54:16 AM AKDT, Sebastian <sebastian at sebbe.eu> wrote:
>The thing is, that people must stop expecting "being able to access
>mail whenever you are" without extra steps.
>
>Best solution is to offer a webmail with TOTP or SQRL or similiar
>secure auth method.
>
>Then have that webmail adds IP or country into trusted list, so if you
>want to access IMAP mail or SMTP mail from hotel wifi, you have to
>simply do one single login to webmail, and then your IMAP/SMTP will
>work as usual.
>
>The problem with certificates, is as I said, not many clients support
>them. Outlook support them natively, I don't know if Windows Mail
>support them, and I don't know if Samsung Mail do support them (maybe
>they do support client certificates in Enterprise mode, but then you
>need a license for that), K9 mail I know support them, other built-in
>email clients I don't know if they support client certificates.
>
>The solution I have on my email is a OpenVPN connection to my server,
>which is protected. My phone has a 24/7 connection to that VPN server,
>and thus im able to lock out all logins outside from VPN.
>
>-----Ursprungligt meddelande-----
>Från: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> För
>@lbutlr
>Skickat: den 15 juli 2021 18:37
>Till: dovecot mailing list <dovecot at dovecot.org>
>Ämne: Re: 2FA/MFA with IMAP & postfix/submission
>
>On 2021 Jul 15, at 08:52, Alex <mysqlstudent at gmail.com> wrote:
>> Client certs appears to be a good solution.
>
>A solution, certainly. A GOOD solution? Not really.
>
>> What's the process for managing them with more than a hundred client
>accounts?
>
>And that's the first issue.
>
>The second issue is "my primary device is not available, I need to
>login from this other computer or use my phone which is unsuitable for
>this task. Too bad I have no choice but to use the phone because this
>computer doesn’t have the cert."
>
>And then you have the "now that I've installed this cert, theis
>computer is considered trusted" which is another issue.
>
>2FA is a lot more flexible and robust.
>
>OATH works well. SQRL looks promising though it requires a web UI I to
>do the authentication (and SQRL does away with passwords as well).
>
>> I believe the problem they are trying to solve is hacked accounts
>from
>> compromised passwords. Does client certs solve that problem?
>
>Maybe. Depends on if the hacker can get access to the user's machine or
>not.
>
>> Perhaps there are dovecot (and postfix submission) options to at
>least
>> restrict access by IP?
>
>It is certainly possible in Postfix, but that opens up its own issues.
>It may be acceptable in some corporate environs, but in most situations
>being able to access your email wherever you are is a requirement.
>
>-- 
>The wages of sin is death, but so is the salary of virtue, and at
>	least the evil get to go home early on Fridays. --Witches Abroad

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210715/096cbb11/attachment-0001.html>

More information about the dovecot mailing list