Strategies for protecting IMAP (e.g. MFA)

Kees van Vloten keesvanvloten at gmail.com
Sun Nov 14 12:50:19 UTC 2021


Apart from a really nice firewall firehol also supplies a good set of 
ip-blacklists.

For public exposure of email ports, I am using the combination of 
firehol-firewall, firehol-blacklist, fail2ban and a whitelist based on 
geo-ip. The mail-client ports exposed are 993 and 465, because starttls 
is considered flawed nowadays: https://nostarttls.secvuln.info/)

Full access from any IP (except firehol-blacklist and fail2ban) is 
possible over VPN (openvpn) with MFA (privacyidea).
Privacyidea also supplies a mobile-app compatible with a.o. TOTP and 
HOTP but it provides a more secure way of enrollment (2-step).

Thanks for pointing at crowdsec.net, will see if it can tighten security 
further in cooperation with the above.

- Kees


On 14-11-2021 11:33, infoomatic wrote:
> I will throw in a few interesting projects which have kept my small
> servers safe:
>
> *) firehol.org
>
> *) crowdsec.net
>
> *) www.fail2ban.org
>
> Have a look at those interesting projects!
>
>
> On 13.11.21 22:16, Tyler Montney wrote:
>> With the world of ransomware as it is today (aka attacks seem more
>> vicious and commonplace), anything I expose to WAN must have
>> additional protection. I've seen a few posts to this list on it. The
>> only thing that helped was that Dovecot supports OAuth. Through OAuth
>> I figure I could implement MFA. However, I'd have to host my own
>> identity server. From there, Thunderbird supports OAuth so that should
>> work.
>>
>> Since this is getting increasingly complicated, I wanted to ask before
>> going further. What do you all do? Any recommendations?




More information about the dovecot mailing list