mailcow-dockerized icon indicating copy to clipboard operation
mailcow-dockerized copied to clipboard

Published 20 hours ago verified publisher icon mailcow

2FA and application passwords for users

Open philipszalla opened this issue 3 years ago • 22 comments

Summary

A clear and concise description of what the problem is. For example: I'm always frustrated when [...]

I would like to secure my mailbox in mailcow with a second factor (e.g. TOTP, U2F, ...).

Motivation

What are you about to solve or improve with this idea? What would be the benefit for most users?

This would be a security improvement for users. Admin already has 2FA

Additional context

Add any other context or screenshots about the feature request.

Obviously SoGo already has a feature for TOTP. But this affects only the SoGo login.

It would be nice, when I would be able to add application passwords for my clients (thunderbird, outlook, iOS Mail, Android Mail) and my normal password would only work for SoGo in combination with the TOTP.

I think this needs a custom configuration page for application passwords in SoGo, so the user is able to configure it on it own.

Nextcloud and Gitea have similar approaches.

philipszalla avatar Nov 23 '20 17:11 philipszalla

Duplicate

andryyy avatar Nov 23 '20 17:11 andryyy

@andryyy could you explain this?

duplicate

I looked into the issues #1348, #3698 and #3736 and none of them discussed a direct implementation of 2FA in mailcow without oauth integration. The issue #740 tried to solve it but is closed now.

philipszalla avatar Nov 23 '20 17:11 philipszalla

Have not checked, enotime, but I will re-open it then. :)

andryyy avatar Nov 23 '20 17:11 andryyy

Do I understand it right you want app passwords for your clients? If yes, you can create separate accounts when you login with your mailbox user @ the controlpanel and go to the 'App passwords' tab. (SOGo won't work with app passwords)

If you want to have 2FA for IMAP, nope that won't happen since there's no real approach yet to include this to postfix and such.

MAGICCC avatar Nov 23 '20 18:11 MAGICCC

@MAGICCC yes you’re right.

But can I still use the regular password for imap and smtp? This should be disabled (because I want to use 2FA or the very strong application passwords) And can I enable2FA for the controlpanel, too?

philipszalla avatar Nov 23 '20 18:11 philipszalla

We could add WebAuthn/TFA to users, disable IMAP and SMTP for those accounts and put a proxy in front of SOGo to authenticate via key. Only app passwords would work with IMAP and SMTP then. This would exclude access to calendars and address books from external access obviously. Only IMAP and SMTP would still work with app passwords.

andryyy avatar Nov 23 '20 19:11 andryyy

@mkuron it's an older topic, but what's your opinion on this?

andryyy avatar Nov 23 '20 19:11 andryyy

It‘s been a long time since I looked at this. We already have app passwords for IMAP/SMTP. What we don‘t have is app passwords for SOGo (EAS, CalDAV, CardDAV), but adding support for them could be as simple as adding a while loop around https://github.com/inverse-inc/sogo/blob/f0980a9cbd14e0fab163be71e4e260bde67d7ee9/SoObjects/SOGo/SQLSource.m#L303-L306. Then, the only missing piece is 2FA for SOGo when you access it via web browser — I don‘t really know what modifications that would require on the SOGo side though.

mkuron avatar Nov 23 '20 19:11 mkuron

I don‘t really know what modifications that would require on the SOGo side though.

Since SOGo have 2FA via TOTP, isn't it possible to dupe the code/hash from mailcow SQL to SOGos table?

MAGICCC avatar Nov 23 '20 20:11 MAGICCC

That might actually work, it‘s stored in the user preferences field: https://github.com/inverse-inc/sogo/blob/8b4b55927eaf42f7a39b8c34218ffb408c07c481/SoObjects/SOGo/SOGoUser.m#L1138.

One other thig I forgot earlier is that we need to block logging into IMAP/SMTP, as well as EAS/CalDAV/CardDAV, with the normal password when 2FA is enabled and only allow the app password for that. For IMAP/SMTP that‘s easy enough to do, but for SOGo it requires more work (probably more than a two-line patch).

mkuron avatar Nov 23 '20 21:11 mkuron

I would prefer the way of an authentication proxy and allow for more mechanisms than TOTP. :)

andryyy avatar Nov 24 '20 03:11 andryyy

For me the ideal implementation would be that TFA-protected passwords and non-TFA protected passwords are totally separated, meaning:

  1. Interfaces that support TFA (SOgo, Mailcow UI, etc) do not allow logging in using app passwords that do not use TFA
  2. Interfaces that do not support TFA (IMAP, SMTP, POP3, etc) do not allow logging in using passwords protected by TFA (ie. the main user password)

It sounds like you're already thinking along those lines @andryyy

If it's hard to implement TFA for SOGo, I'd personally be fine with only allowing the user's main password to be used for the Mailcow UI, with TFA enforced, and require app passwords for everything else (SOGo, IMAP, SMTP, etc.). Maybe as an optional setting.

Daniel15 avatar Mar 14 '21 07:03 Daniel15

Sorry for chipping in, here. I would love to have 2FA for users as well as I integrated Nextcloud via Social Login (following your great documentation). There is no way to have Nextcloud secured via 2FA while using the Social Login App - 2FA would have to be done at Mailcow Login Level. In a first attempt you could leave the logic behind IMAP, SMTP and SoGo untouched. That should be a rather small change to just add 2FA for users, shouldn't it?

Next step then could be to enforce app passwords for IMAP and SMTP when 2FA is enabled. SoGo seems to be more complicated.

beerlao avatar Apr 21 '21 07:04 beerlao

If it's hard to implement TFA for SOGo, I'd personally be fine with only allowing the user's main password to be used for the Mailcow UI, with TFA enforced, and require app passwords for everything else (SOGo, IMAP, SMTP, etc.). Maybe as an optional setting.

If SOGo does not support (some) TFA methods yet, you could use the mailcow UI flow to login with TFA and then use the "Login to webmail" button to single sign-in to SOGo. Apposed to having a app password for that as well or using the main password. Then you could disable direct access with the credentials to all protocols and only allow App passwords without TFA.

In the last few days I've tested mailcow extensively, and TFA missing at mailbox-level is the only feature I am missing. Would switch from my current self-hosted solution in a heartbeat if this was possible.

Last remark: U2F in the startpost should be WebAutn/FIDO2 as second factor as U2F is legacy.

snevas avatar Apr 11 '22 11:04 snevas

thread about XOAUTH2 (2FA for IMAP) + dovecot/postfix

KiaraGrouwstra avatar Aug 08 '22 16:08 KiaraGrouwstra

I think this is implemented @DerLinkman

VermiumSifell avatar Jan 20 '23 12:01 VermiumSifell

Every one knows status? totp is useless if you can log in via smtp and imap.

zandercodes avatar Feb 11 '24 22:02 zandercodes

You could also disable all direct acess and use the primary password with MFA to login to mailcow UI and then use the SSO button for SoGo. If you still need smtp / imap you can use app specific passwords on top of that that won't compromise your primary password.

snevas avatar Feb 12 '24 08:02 snevas

You could also disable all direct acess and use the primary password with MFA to login to mailcow UI and then use the SSO button for SoGo. If you still need smtp / imap you can use app specific passwords on top of that that won't compromise your primary password.

I have activated 2fa for my Mailcow e-mail inbox, but I can still log in via imap without an app password. TOTP is then useless if you can access imap via your main password.

EDIT: I forgot disable imap in the account. Now works

zandercodes avatar Feb 12 '24 12:02 zandercodes

Have you disabled the direct access in the mailcow settings? image You can then use the top button to login to SoGo, without being able to use the SoGo login directly and it will enforce all the OTP / WebAuthn security settings that mailcow offers.

snevas avatar Feb 12 '24 16:02 snevas