On 19-09-2024 15:16, Frank Richter ([email protected]) wrote:
Am 19.09.24 um 15:11 schrieb Kees van Vloten ([email protected]):
On 19-09-2024 14:57, Frank Richter ([email protected])
wrote:
Hi,
we protect more and more services that can be reached from the
Internet by 2FA/TOTP.
Are there any ideas how to force 2FA/TOTP for SOGo when accessing
SOGo from the Internet (outside the intranet), but not from the
intranet??
Ideally then, SOGo would ask our privacyIDEA API (username, TOTP
code) to evaluate the TOTP code …
I am doing exactly this by letting the webserver (Apache) handle the
authentication (sogo.conf contains 'SOGoTrustProxyAuthentication =
YES;' to trust apache authentication).
Apache is configured to do OIDC authentication, against Keycloak.
Keycloak then checks the client-ip to determine how to authenticate.
If the IP is not in the internal ip-range it will request MFA and use
Privacyidea as its backend, otherwise user/password is sufficient or
a Kerberos ticket.
Nice, how do you authenticate to the IMAP server?
I don't.
The user is already authenticated by Apache when it accesses Sogo. Sogo
gets the username passed from Apache and it will use it when connecting
to imap (so the user is known at that point). There is no added security
value in doing another, behind the scenes, authentication between Sogo
and imap on behalf of the user.
So I have setup imap (Dovecot) to accept requests on localhost without
password, the username is sufficient. In my case Sogo and Dovecot run on
the same server, but it is easy enough to use a SSL-tunnel with
client-cert authentication between 2 machines to forward imap requests
from Sogo localhost to Dovecot localhost to create a secure path from
Sogo to imap.
The setup is required for smtp/submission as well. I use the
dovecot-submission proxy for it, so authentication for imap and
smtp/submission always uses the same (Dovecot) configuration. That
prevents authentication mismatches between imap and smtp/submission.
- Kees.
Frank
