Re: Strategies for protecting IMAP (e.g. MFA)

2021-11-13 Thread lists 
  The thing I don't like is most 2FA token generators. Ultimately you need to transfer the polynomial that generates the code. Most do that with a QR image. Well so much for security! Others have a one time emergency code. Of course we are talking evil maid attacks, which granted is an unacceptable term these days. Now Yubikey at least has my attention. But people often leave the key plugged into their notebook. Very true with the Google equivalent which I have heard from Google employees. The keys themselves aren't exactly transferable, but when you have physical access then all bets are off. If someone fool actually paid me to be sysadmin, I would use a Yubikey. Note Freeotp let's you input the code but also has the QR code fallback. The phone  app however hasn't been updated in years. It does allow you to test out a TOTP scheme. It took me no time to write a script to accept the token on Linux. The tricky part if I recall correctly was setting up the script to accept the token that just expired. You would want to do that to minimize user friction. Not to get too far off track but I don't allow any web control over my email server. There is no control panel to hack. I ssh into the server and that uses PKI. I do everything via CLI. If ssh is compromised then nothing else will be secure so email would be the last of my problems.    Companies such as Last pass (not an endorsement but an example) supposedly incorporate password generators. If you are going to allow users to set let alone change their own password, you might be able to write a script that generates the password. If I were to go up to the next level of security I would use mail-crypt. It is just that I see so much chatter about getting it to work.  From: montneyty...@gmail.comSent: November 13, 2021 3:03 PMTo: dovecot@dovecot.orgSubject: Re: Strategies for protecting IMAP (e.g. MFA)  "Use strong (as in long and/or randomised and impossible to break using
rainbow table attacks) password"Again, since it's just me, this is do-able. But I'm looking for something practical as well.I'm getting the feeling that people don't have an MFA implementation."if the users are sufficiently discipline"As a Sysadmin, I can tell you they genuinely are not and they likely never will be.Hope for the best, plan for the worst.I also want to clarify that I'm not rejecting any of these suggestions, they're all good.



On Sat, Nov 13, 2021 at 4:42 PM Ralph Seichter  wrote:* Tyler Montney:

> Since this is getting increasingly complicated, I wanted to ask before
> going further. What do you all do? Any recommendations?

Use strong (as in long and/or randomised and impossible to break using
rainbow table attacks) passwords which are used only once (!) and kept
either in the user's brain or in an encrypted password store. Ensure
that authentication data can only be transmitted over encrypted
connections.

These measures cover a lot of ground, if the users are sufficiently
disciplined. Users are usually the weakest link.

-Ralph

Re: Strategies for protecting IMAP (e.g. MFA)

2021-11-13 Thread Tyler Montney 
"Use strong (as in long and/or randomised and impossible to break using
rainbow table attacks) password"

Again, since it's just me, this is do-able. But I'm looking for something
practical as well.
I'm getting the feeling that people don't have an MFA implementation.

"if the users are sufficiently discipline"

As a Sysadmin, I can tell you they genuinely are not and they likely never
will be.
Hope for the best, plan for the worst.

I also want to clarify that I'm not rejecting any of these suggestions,
they're all good.

On Sat, Nov 13, 2021 at 4:42 PM Ralph Seichter  wrote:

> * Tyler Montney:
>
> > Since this is getting increasingly complicated, I wanted to ask before
> > going further. What do you all do? Any recommendations?
>
> Use strong (as in long and/or randomised and impossible to break using
> rainbow table attacks) passwords which are used only once (!) and kept
> either in the user's brain or in an encrypted password store. Ensure
> that authentication data can only be transmitted over encrypted
> connections.
>
> These measures cover a lot of ground, if the users are sufficiently
> disciplined. Users are usually the weakest link.
>
> -Ralph
>

Re: Strategies for protecting IMAP (e.g. MFA)

2021-11-13 Thread Ralph Seichter 
* Tyler Montney:

> Since this is getting increasingly complicated, I wanted to ask before
> going further. What do you all do? Any recommendations?

Use strong (as in long and/or randomised and impossible to break using
rainbow table attacks) passwords which are used only once (!) and kept
either in the user's brain or in an encrypted password store. Ensure
that authentication data can only be transmitted over encrypted
connections.

These measures cover a lot of ground, if the users are sufficiently
disciplined. Users are usually the weakest link.

-Ralph

Re: Strategies for protecting IMAP (e.g. MFA)

2021-11-13 Thread lists 
 It seems to me that Oauth weakens security. You allow some other system into your system. Are you running your own email server? I see you are using Gmail for the listserv.If you run your own server there are other steps I would take first other than MFA, though MFA would be the best. Geofencing alone reduces the attack pathways. My server is set up so only 25 sees the entire internet. All other email ports are behind a geofence and a rather large blocking list I have built up over the years of VPS, hosting companies, etc. I'm using 587.I see very little attempts to hack my email server. If I wanted to go the next level up I would use fail2ban. But that would be to cut down chatter in the log file. No bot or person is going to crack my password. It is high entropy. Server passwords are not in clear text. From: montneyty...@gmail.comSent: November 13, 2021 1:16 PMTo: dovecot@dovecot.orgSubject: Strategies for protecting IMAP (e.g. MFA)  With the world of ransomware as it is today (aka attacks seem more vicious and commonplace), anything I expose to WAN must have additional protection. I've seen a few posts to this list on it. The only thing that helped was that Dovecot supports OAuth. Through OAuth I figure I could implement MFA. However, I'd have to host my own identity server. From there, Thunderbird supports OAuth so that should work.Since this is getting increasingly complicated, I wanted to ask before going further. What do you all do? Any recommendations?

Strategies for protecting IMAP (e.g. MFA)

2021-11-13 Thread Tyler Montney 
With the world of ransomware as it is today (aka attacks seem more vicious
and commonplace), anything I expose to WAN must have additional protection.
I've seen a few posts to this list on it. The only thing that helped was
that Dovecot supports OAuth. Through OAuth I figure I could implement MFA.
However, I'd have to host my own identity server. From there, Thunderbird
supports OAuth so that should work.

Since this is getting increasingly complicated, I wanted to ask before
going further. What do you all do? Any recommendations?