Mailcow-dockerized: Feature Request: Multiple Server Administrators

I'd very much like to see this as well and / or the ability to have multiple two-factor authentications devices configured per account.

@chriscroome Are you meaning multiple different types of 2FA devices? If not, you can currently have multiple devices (i.e. I have two YubiKeys in Yubi OTP mode connected to mine).

@stevesbrain I don't have a YubiKey, though I'm tempted to get one, I'm using OTP and it seems you can only have one device with that? I have used other services where you can register multiple devices and if that could be done for the Mailcow admin account it would make it easier to have several people with admin access to a server. I did try adding a second OTP device and it seemed to remove the first one.

Hi,
I will think about this when I'm done with programing the API. :)

@chriscroome This does not work for TOTP. But you can write down the "secret" below the QR code or save the QR code to scan it on mulitple devices. TOTP has no identifier for the token (has it? correct me), we would have to iterate through all keys until we match the correct one or none.

@andryyy I'm no expert on this but, for example, the TOTP 2FA at Nominet shows up on my phone as:

Nominet
[email protected]

Where as Mailcow shows up as:

admin

If I use TOTP for multiple Mailcow servers I'm not sure how to tell them apart -- if a [email protected] identifier could be added that would solve this.

When I tried scanning the TOPT QR code on a second device the first device listing disappeared -- it appears to me that you currently can't have multiple TOTP devices associated with one Mailcow account? Again at Nominet you can have multiple devices.

I will check it!

@andryyy - The identifier for TOTP tokens does exist in the form of a "label":

otpauth://totp/?secret=&issuer=

So in the example of @chriscroome his would look like:

otpauth://totp/[email protected]?secret=XXXXXXXXXX&issuer=Nominet

So we'd want to do something like:

otpauth://totp/Admin-Username?secret=XXXXXXXX&issue=YourMailServer

Or similar :)

If possible I'd suggest using:

Mailcow
[email protected]

Where 'admin' is the username and 'example.org' is the Mailcow server's domain name, in the case of the admin account, for others using their email address:

Mailcow
[email protected]

Or perhaps the hostname could be used in place of 'Mailcow', or perhaps a new field could be created for the server name and this could also be used in the HTML <title>, eg:

Example Organisation : Mailcow
[email protected]

It already inserts "mailcow UI" as label. I made this a var in vars.inc.php for future releases. :)

What I mean regarding the identifier: There is no ID inside the 6 digit code you enter when logging in. So I cannot assume it is used for secret A. I would need to iterate over secret A, B, C, D etc. until I hit the correct one.

Yubi TFA codes contain an identifier. I can read that ID and know which secret I have to check.

It already inserts "mailcow UI" as label. I made this a var in vars.inc.php for future releases. :)

That's great, thanks :-)

I would need to iterate over secret A, B, C, D etc. until I hit the correct one.

Ah, OK, I wonder how Nominet does this, they allow multiple TOTP devices and only have one field for entering the number...

In any case if one could create multiple admin accounts then only having one TOTP device per account would be OK. Perhaps a "root" account might be needed just to create / edit "admin" accounts?

Would also be interested in a second administrator account with different username and password.

+1 Same here.