On 25 Oct 2020, at 22:47, Sebastian Nielsen <sebast...@sebbe.eu> wrote:
> The second way, is to not have webmail at all, but instead have a
> authentication gateway in browser, where you must auth with 2FA and captcha.
> The only purpose of this gateway, is to authenticate users with 2FA before
> their IP is whitelisted.
I mostly agree with the sentiments in your email, but whitelsiting IP addresses
is a HORRIBLE idea and a massive gaping security hole and using a captcha is
only slightly less horrible and user-hostile. If you are using 2FA there is
absolutely no reason to use a captcha.
A 2FA gateway that reverse proxies the webmail is quite good, but enforcing
good passwords and using TLS is good enough for nearly all use cases.
(I recently upped the minimum password length from 12 characters)
--
Ah we're lonely, we're romantic / and the cider's laced with acid /
and the Holy Spirit's crying, Where's the beef? / And the moon is
swimming naked / and the summer night is fragrant / with a mighty
expectation of relief
