2FA for Dovecot

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

2FA for Dovecot

Kees de Jong
Hi,



My goal is to protect my mail account with 2FA, which isn't a crazy
idea in 2020. Therefore, I would like to know the possibilities of
configuring 2FA for Dovecot. In the documentation there are some hints
of e.g. OTP in Dovecot [1] and using FreeIPA with Dovecot [2], where
FreeIPA has the ability to enable OTP per user [3].

But I can't really find much practical information about such a setup.
The documentation of Dovecot is quite silent about the OTP
authentication mechanism and the same goes for the FreeIPA and Dovecot
combination with OTP.

So my question is; is this even a supported setup? And if so, where is
the documentation? And if not, what's the recommended method to secure
your mail setup?

I can imagine alternative solutions like putting the submission and
IMAP port behind a VPN and have all the clients use that VPN. And for
the public internet, simply use a web interface (e.g. Nextcloud with
Rainloop) which supports 2FA. But I prefer having OTP for e.g. Android
and Linux clients.


[1]
https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/
[2] https://www.freeipa.org/page/Dovecot_Integration
[3]
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7



--
Met vriendelijke groet,
Kees de Jong

De informatie opgenomen in deze e-mail kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde(n). Indien u deze e-mail
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de
afzender direct te informeren door de e-mail te retourneren. Aan deze
e-mail inclusief de bijlagen kunnen geen rechten ontleend worden,
tenzij schriftelijk anders wordt overeengekomen.
--
The information contained in this e-mail may be confidential and is
intended to be exclusively for the addressee(s). Should you receive
this e-mail unintentionally, please do not use the contents herein and
notify the sender immediately by return e-mail. This e-mail including
the attachments are not legally binding, unless otherwise agreed upon
in writing.
--
OpenPGP fingerprint: 0x0E45C98AB51428E6

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 2FA for Dovecot

Plutocrat
You don't say what sort of 2FA you're considering, but wouldn't you just tell Dovecot to use PAM, and then extend PAM to use a 2FA module. For example there's a Google Auth one available in the second link below.

https://doc.dovecot.org/configuration_manual/authentication/pam/
https://github.com/google/google-authenticator-libpam

P.
(Not a dovecot expert, although I know a fair amount about Linux)

On 06/01/2020 19.58, Kees de Jong wrote:

> My goal is to protect my mail account with 2FA, which isn't a crazy
> idea in 2020. Therefore, I would like to know the possibilities of
> configuring 2FA for Dovecot. In the documentation there are some hints
> of e.g. OTP in Dovecot [1] and using FreeIPA with Dovecot [2], where
> FreeIPA has the ability to enable OTP per user [3].
>
> But I can't really find much practical information about such a setup.
> The documentation of Dovecot is quite silent about the OTP
> authentication mechanism and the same goes for the FreeIPA and Dovecot
> combination with OTP.
>
> So my question is; is this even a supported setup? And if so, where is
> the documentation? And if not, what's the recommended method to secure
> your mail setup?


signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 2FA for Dovecot

Benny Pedersen-2
Plutocrat skrev den 2020-01-07 03:33:

> https://doc.dovecot.org/configuration_manual/authentication/pam/
> https://github.com/google/google-authenticator-libpam

it scales not very well to limit 2fa to only pam users, dovecot support
many other auth backends and imho dovecot should never use 2fa, but it
could and imho should be done in dovecot auth backend if possible to
keep control where it belongs

if 2fa solve week passwords then 2fa is not needed, so keep it simple
:=)

strong passwords is not a solution to leaked passwords, in that case its
could help with 2fa

fun part there is nets that control visa cards auth cant make a policy
that sms verify must be done on every transfer of money, only solution
there is to change to master card and enable geolocation block of all
until one self like to use our own master cards, i dont trust email auth
to be better
Reply | Threaded
Open this post in threaded view
|

Re: 2FA for Dovecot

Luigi Rosa-2
In reply to this post by Kees de Jong
Kees de Jong wrote on 06/01/2020 12:58:

> My goal is to protect my mail account with 2FA, which isn't a crazy
> idea in 2020. Therefore, I would like to know the possibilities of
> configuring 2FA for Dovecot.

Use an authentication backend that supports 2FA, such as oAuth:

https://wiki.dovecot.org/PasswordDatabase/oauth2



--


Ciao,
luigi

/
+--[Luigi Rosa]--
\
Reply | Threaded
Open this post in threaded view
|

Re: 2FA for Dovecot

lists
I block all my email ports except 25 from countries where I am not going to be sending or receiving email. I also block many datacenters, but blocking Digital Ocean, Vultur and AWS will get you 90%of the way there. You will need to use 587, that is no auth on 25. Again no blocking on 25, just block the other email ports.

I get maybe one attempt to log into my email account a week. Yeah not as good as 2FA but it isn't a research project either. Just a little firewall programming. I get the CIDRs from bgp.he.net.

I am assuming this is a personal server.

A bit extreme, but you could set up a VPN on a VPS and only allow that IP to send and receive email.




  Original Message  


From: [hidden email]
Sent: January 7, 2020 12:29 AM
To: [hidden email]
Subject: Re: 2FA for Dovecot


Kees de Jong wrote on 06/01/2020 12:58:

> My goal is to protect my mail account with 2FA, which isn't a crazy
> idea in 2020. Therefore, I would like to know the possibilities of
> configuring 2FA for Dovecot.

Use an authentication backend that supports 2FA, such as oAuth:

https://wiki.dovecot.org/PasswordDatabase/oauth2



--


Ciao,
luigi

/
+--[Luigi Rosa]--
\
Reply | Threaded
Open this post in threaded view
|

Re: 2FA for Dovecot

Kees de Jong
In reply to this post by Kees de Jong
I did mention OTP for 2FA, and OTP can be indeed Google Authenticator,
the reason I'm not that specific is because the documentation isn't :)

PAM can indeed be used for this, I've read some list conversations
about this [1], [2]. However, as I mentioned in my first post, I'm
interested to know about the internal Dovecot authentication methods.
Since using PAM requires local users and I prefer using the virtual
users inside Dovecot.

There are several OTP authentication mechanisms in the source code [3],
[4], [5]. However, these lack documentation [6]. Therefore, I would
like to explore these builtin authentication methods first.

Is there someone in the Dovecot community that can provide some more
information about this, or the status of these authentication modules?



[1] https://dovecot.org/pipermail/dovecot/2013-March/088844.html
[2] https://dovecot.org/pipermail/dovecot/2007-February/019340.html
[3] https://github.com/dovecot/core/blob/master/src/auth/mech-otp.c
[4]
https://github.com/dovecot/core/blob/master/src/auth/mech-otp-skey-common.c
[5]
https://github.com/dovecot/core/blob/master/src/auth/password-scheme-otp.c
[6]
https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/



On Tue, 2020-01-07 at 05:54 +0200, [hidden email] wrote:

> You don't say what sort of 2FA you're considering, but wouldn't you
> just tell Dovecot to use PAM, and then extend PAM to use a 2FA
> module. For example there's a Google Auth one available in the second
> link below.
>
> https://doc.dovecot.org/configuration_manual/authentication/pam/
> https://github.com/google/google-authenticator-libpam
>
> P.
> (Not a dovecot expert, although I know a fair amount about Linux)

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 2FA for Dovecot

Michael Peddemors
In reply to this post by lists
Happy New Year all..

Still awaiting the merge of our variable capabilities patch.. once that
is out, we can release the plugin for CLIENTID which can do all your 2FA
for you as well..

Looking forward to a great 2020.  Also be aware, the last two (2) months
have seen a significant increase in brute force attacks against IMAP
servers.. mostly using variations of older data breach passwords..

Make sure you have some form of 'weak password' detection in place.

Also, the sheer size of the botnets (IoT devices) means increased loads
on your servers, so seriously consider country AUTH blocking, if your
users don't need to log in from foreign countries, if you haven't already..

"MaxMind" makes that very easy, just be aware that they have changed
some policies.. make sure you give them acreditation where due.

A lot of the attacks are against NON-TLS/SSL ports, but everyone should
slowly move to simply blocking Port 110/143 AUTH attempts, if you really
want to protect your users.

  AUTH failure: '[hidden email]' CLIENTID enforced and missing
CLIENTID or CLIENTID_TYPE rip=61.148.29.198 (CN) lip=192.168.0.204:143
(NON-TLS)

On 2020-01-07 12:43 a.m., lists wrote:

> I block all my email ports except 25 from countries where I am not going to be sending or receiving email. I also block many datacenters, but blocking Digital Ocean, Vultur and AWS will get you 90%of the way there. You will need to use 587, that is no auth on 25. Again no blocking on 25, just block the other email ports.
>
> I get maybe one attempt to log into my email account a week. Yeah not as good as 2FA but it isn't a research project either. Just a little firewall programming. I get the CIDRs from bgp.he.net.
>
> I am assuming this is a personal server.
>
> A bit extreme, but you could set up a VPN on a VPS and only allow that IP to send and receive email.
>
>
>
>
>    Original Message
>
>
> From: [hidden email]
> Sent: January 7, 2020 12:29 AM
> To: [hidden email]
> Subject: Re: 2FA for Dovecot
>
>
> Kees de Jong wrote on 06/01/2020 12:58:
>
>> My goal is to protect my mail account with 2FA, which isn't a crazy
>> idea in 2020. Therefore, I would like to know the possibilities of
>> configuring 2FA for Dovecot.
>
> Use an authentication backend that supports 2FA, such as oAuth:
>
> https://wiki.dovecot.org/PasswordDatabase/oauth2
>
>
>
> --
>
>
> Ciao,
> luigi
>
> /
> +--[Luigi Rosa]--
> \
>



--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.