Re: Dovecot and multi-factor auth support
On Mon, May 25, 2020 at 3:29 AM Darren S. wrote: > OpenBSD 6.6 amd64 > OpenSMTPD 6.6.0 > Dovecot 2.3.9.3 (9f41b88fa) > login_duo 1.11.2 > > I'm working with an OpenSMTPD/Dovecot installation that will support > users authenticating over the internet and I'm curious if any form of > multi-factor authentication is possible for IMAP (and optionally, > SMTP). What about: - using LDAP as auth backend for dovecot - integrate Duo with LDAP server ? You mentioned Duo but any strong authentication system LDAP compatible should works (Okta can act like LDAP server, too) -f
Re: Dovecot and multi-factor auth support
>> Is there any sort of supported way of wiring up login_duo with >> OpenSMTPD and Dovecot, or using bsdauth in some way to enforce a >> second auth factor? > >bsdauth isn't really setup for multi factor, the only way I've seen >this >done is splitting the password field into a fixed-length OTP and a >password. I use a ssh tunnel for access to dovecot, with the same username via bsdauth. Not exactly two factor at the account level but even more secure IMO and ssh has two factor ability now too. I tried but abandoned switching to client tls certs as keeping tunnels or vpns open isn't so great on mobile for notifications and ensuring clients trust one CA, especially on mobiles is impossible? Nowadays, without writing your own client (all use android trust store?!) Note: bsdauth may be being removed by dovecot, annoyingly. http://openbsd-archive.7691.n7.nabble.com/bsdauth-being-removed-from-Dovecot-td387268.html
Re: Dovecot and multi-factor auth support
On 2020-05-25, Darren S. wrote: > OpenBSD 6.6 amd64 > OpenSMTPD 6.6.0 > Dovecot 2.3.9.3 (9f41b88fa) > login_duo 1.11.2 > > I'm working with an OpenSMTPD/Dovecot installation that will support > users authenticating over the internet and I'm curious if any form of > multi-factor authentication is possible for IMAP (and optionally, > SMTP). No, this can't really work directly for IMAP (you could have a mechanism that uses a password and OTP together in the password field, but a typical client will make multiple connections at different times, so this won't work in a usable way). Current methods working something along these lines use OAuth2 - multi factor would be used when creating an access token (usually done via a web interface) and then an IMAP/SMTP client would use this for the normal logins. Dovecot supports this for IMAP - I haven't noticed any open source MTAs that do this for SMTP though (gmail offers it and it works in some MUAs). > Currently SMTP auth and Dovecot both authenticate users over TLS using > their system user passwords. I have also set up Duo MFA for sshd using > the login_duo package so admins can additionally authenticate with a > push notification to phone. > > Is there any sort of supported way of wiring up login_duo with > OpenSMTPD and Dovecot, or using bsdauth in some way to enforce a > second auth factor? bsdauth isn't really setup for multi factor, the only way I've seen this done is splitting the password field into a fixed-length OTP and a password.
Dovecot and multi-factor auth support
OpenBSD 6.6 amd64 OpenSMTPD 6.6.0 Dovecot 2.3.9.3 (9f41b88fa) login_duo 1.11.2 I'm working with an OpenSMTPD/Dovecot installation that will support users authenticating over the internet and I'm curious if any form of multi-factor authentication is possible for IMAP (and optionally, SMTP). Currently SMTP auth and Dovecot both authenticate users over TLS using their system user passwords. I have also set up Duo MFA for sshd using the login_duo package so admins can additionally authenticate with a push notification to phone. Is there any sort of supported way of wiring up login_duo with OpenSMTPD and Dovecot, or using bsdauth in some way to enforce a second auth factor? -- Darren Spruell phatbuck...@gmail.com