Is multi factor authentication practical/feasible?

Rick Romero rick at havokmon.com
Fri Jul 1 21:28:57 UTC 2022


  Quoting Jochen Bern <Jochen.Bern at binect.de>:

> On 27.06.22 00:52, Steve Dondley wrote:
>> I have a small client whose insurance company insists they have MFA  
>> for their email to be covered under some kind of data protection  
>> policy. Currently I have the client set up on a Debian box for the  
>> email server coupled with roundcube for webmail. Most the users  
>> just use roundcube but some also use their mobile devices to check  
>> email. Maybe one person uses outlook. There’s about 5 to 10 users  
>> total.
>>
>> I know roundcube offers a MFA plugin. But I don’t have the foggiest  
>> idea how of an iPhone, Android device, or Outlook could all be set  
>> up to work with MFA with a standard dovecot/postfix setup. Are  
>> there any practical solutions for easily implementing MFA that  
>> could work across multiple devices?
>
> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH),  
> POP, and IMAP protocol definitions do not provide elbow room to make  
> *two* rounds of authentication. (Ever pondered why the admin can  
> require O365 users to "use 2FA", but users then are still allowed to  
> create "application passwords", note plural and lack of standard  
> password features like a limited lifetime for those?)

I implemented PrivacyIdea as a backend auth mechanism for dovecot once  
in the past.

I honestly don't recall the details, and I wasn't sure how to do it  
dynamically with multiple domans, but one domain worked fine.  It was  
due to the PI 'realm' separator being @, and using full email  
addresses for the username. 
I believed I used OTP for the user's webmail password and 'device  
password' for imap/smtp.

Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220701/c6cc5c65/attachment.htm>


More information about the dovecot mailing list