Mailcow-dockerized: 2FA and application passwords for users
Summary
A clear and concise description of what the problem is.
For example: I'm always frustrated when [...]
I would like to secure my mailbox in mailcow with a second factor (e.g. TOTP, U2F, ...).
Motivation
What are you about to solve or improve with this idea?
What would be the benefit for most users?
This would be a security improvement for users.
Admin already has 2FA
Additional context
Add any other context or screenshots about the feature request.
Obviously SoGo already has a feature for TOTP.
But this affects only the SoGo login.
It would be nice, when I would be able to add application passwords for my clients (thunderbird, outlook, iOS Mail, Android Mail) and my normal password would only work for SoGo in combination with the TOTP.
I think this needs a custom configuration page for application passwords in SoGo, so the user is able to configure it on it own.
Nextcloud and Gitea have similar approaches.
philipszalla
All 11 comments
Duplicate
andryyy
on 23 Nov 2020
@andryyy could you explain this?
duplicate
I looked into the issues #1348, #3698 and #3736 and none of them discussed a direct implementation of 2FA in mailcow without oauth integration. The issue #740 tried to solve it but is closed now.
philipszalla
on 23 Nov 2020
Have not checked, enotime, but I will re-open it then. :)
andryyy
on 23 Nov 2020
Do I understand it right you want app passwords for your clients? If yes, you can create separate accounts when you login with your mailbox user @ the controlpanel and go to the 'App passwords' tab. (SOGo won't work with app passwords)
If you want to have 2FA for IMAP, nope that won't happen since there's no real approach yet to include this to postfix and such.
MAGICCC
on 23 Nov 2020
@MAGICCC yes you’re right.
But can I still use the regular password for imap and smtp? This should be disabled (because I want to use 2FA or the very strong application passwords)
And can I enable2FA for the controlpanel, too?
philipszalla
on 23 Nov 2020
We could add WebAuthn/TFA to users, disable IMAP and SMTP for those accounts and put a proxy in front of SOGo to authenticate via key. Only app passwords would work with IMAP and SMTP then. This would exclude access to calendars and address books from external access obviously. Only IMAP and SMTP would still work with app passwords.
andryyy
on 23 Nov 2020
@mkuron it's an older topic, but what's your opinion on this?
andryyy
on 23 Nov 2020
It‘s been a long time since I looked at this. We already have app passwords for IMAP/SMTP. What we don‘t have is app passwords for SOGo (EAS, CalDAV, CardDAV), but adding support for them could be as simple as adding a while loop around https://github.com/inverse-inc/sogo/blob/f0980a9cbd14e0fab163be71e4e260bde67d7ee9/SoObjects/SOGo/SQLSource.m#L303-L306. Then, the only missing piece is 2FA for SOGo when you access it via web browser — I don‘t really know what modifications that would require on the SOGo side though.
mkuron
on 23 Nov 2020
I don‘t really know what modifications that would require on the SOGo side though.
Since SOGo have 2FA via TOTP, isn't it possible to dupe the code/hash from mailcow SQL to SOGos table?
MAGICCC
on 23 Nov 2020
That might actually work, it‘s stored in the user preferences field: https://github.com/inverse-inc/sogo/blob/8b4b55927eaf42f7a39b8c34218ffb408c07c481/SoObjects/SOGo/SOGoUser.m#L1138.
One other thig I forgot earlier is that we need to block logging into IMAP/SMTP, as well as EAS/CalDAV/CardDAV, with the normal password when 2FA is enabled and only allow the app password for that. For IMAP/SMTP that‘s easy enough to do, but for SOGo it requires more work (probably more than a two-line patch).
mkuron
on 23 Nov 2020
I would prefer the way of an authentication proxy and allow for more mechanisms than TOTP. :)
andryyy
on 24 Nov 2020
Related issues
CrAazZyMaN21
·
3Comments
RogerSik
·
3Comments
K2rool
·
3Comments
starcraft0429
·
3Comments
poldixd
·
3Comments
Most helpful comment
I would prefer the way of an authentication proxy and allow for more mechanisms than TOTP. :)