TOTP (2FA) support #184
Comments
|
If there is 2FA for user accounts, then there should be an option to disable IMAP/SMTP for non remote IPs to prevent going around 2FA with these protocols. So what I'm saying: if we want full 2FA support, we need application passwords for MUAs OR be able to block IMAP/SMTP for accounts with 2FA enabled. |
|
I started to collect some ideas and requirements. I think the following mechanisms are necessary to have TOTP/2FA not only for admin accounts but also mailbox users. TOTP secretIt would be very interesting to share the TOTP secret with other programs, for example Roundcubemail. This can probably be solved by providing a hook when saving the shared secret. The hook can be used to store the secret into other SQL tables, for example the settings of the Roundcubemail TOTP plugin. Preventing access w/o 2FAAs common multi factor authentication protocols are not supported by IMAP, POP or SMTP (the only option would be to add client SSL auth AFAICT), having an option for users to disable remote access via these protocols would be very welcome. This can be implemented by adding a boolean to the mailbox table, for example An additional SQL table could be helpful for maintaining access for multiple hosts in a cluster, but this is not really necessary. For example the password query for Dovecot could then look like this: App password supportThe support for app passwords (dedicated password for each MUA) is a also a good solution to increase account security without actual 2FA. I guess the best approach would be to have an additional table edit: I just noticed that this query would not work as the active and remote ip properties are not retained in the UNION. However it still outlines the idea. |
|
A good start would be to have to only for admin accounts. |
|
Any progress on this? I see that there is a related open pull request from a few years ago: #322 |
|
I hope in the future we can use this feature. |
|
We actually started working on this last week and will probably come up with a PR in the next weeks. |
|
We're half way done but have one open question about the design and feedback would be welcome.
The resulting query for logins with Dovecot would be the following: SELECT user, password FROM (
SELECT username AS user, password, '0' AS is_app_password FROM mailbox
UNION
SELECT username AS user, password, '1' AS is_app_password FROM mailbox_app_password
)
WHERE user='%u' AND password='%w' AND active=1 AND
(
"%r" IN (SELECT ip FROM totp_exception_address WHERE username="%u" OR username IS NULL)
OR (SELECT totp_secret FROM mailbox WHERE usenamer="%u") IS NULL
OR is_app_password='1'
)Does anybody have any concerns with this setup? *edit: there was a mistake in the query. I updated it. |
|
@svenseeberg sounds good, thanks for progressing this |
Co-Authored-By: Fredrik Bostroem <fredrik.bostroem@verdigado.com> Co-Authored-By: Sven Seeberg <sven.seeberg@verdigado.com>
Co-Authored-By: Fredrik Bostroem <fredrik.bostroem@verdigado.com> Co-Authored-By: Sven Seeberg <sven.seeberg@verdigado.com>
When users (or admin) login to PFA, it would be good to use a Time-based One-Time Password. Eg, Google Authenticator, Authy, 1Password, etc.
I have just setup TOTP with Roundcube Mail - they have a plugin (https://plugins.roundcube.net/packages/alexandregz/twofactor_gauthenticator). Something like that for Postfix Admin would be perfect.
The text was updated successfully, but these errors were encountered: