I have implemented HOTP MFA for users coming from the internet and AD
(kerberos authn, LDAP authz) for internal users.
Sogo does not support scenarios like this directly but does support
offloading authentication to the webserver, in my case Apache, and there
you can setup complex scenarios.
The setting in sogo.conf is: "SOGoTrustProxyAuthentication = YES"
In this setup Sogo knows the user-id only, not the password, so an
additional requirement is that it can access (as the user) imap and
submission without password. In my setup I installed dovecot (with
submission proxy) on the same host and setup a localhost imap +
submission listener that do not need a password.
From dovecot conf:
passdb {
args = nopassword=y allow_nets=127.0.0.1/32
driver = static
}
inet_listener imap_local {
address = 127.0.0.1
port = 144
ssl = no
}
- Kees
Op 14-09-2022 om 20:30 schreef Randall Sargent ([email protected]):
Hello,
I am looking for documentation on how to implement MFA/2FA on SOGo,
specifically DUO, but any will do.
Thank you
