2FA .. how can we implement it?

abardt · March 8, 2020, 3:38am

Really interesting information here …

I’ve always known that mail server security was a major task but this kinda scared me.
2FA is a must for a mail server… how can we implement it?

Eliter · March 8, 2020, 6:10pm

Well… I haven’t watched your video, but what are the factors we’ll use for authentication? Now, THAT will determine if we CAN.

Mail-in-a-Box app
SSH login and confirm
Text message
Call
CAPTCHA
Email
Pin
Human verification (security guard?)
Biometric

We surely can develop a mobile app solely for authentication purposes, or require multiple devices that are already signed in to authenticate. Will that improve security? I don’t know. We could also implement biometric, if the user has their own fingerprint scanner, eye scanner, or has a camera with high enough quality to do facial recognition.
We CANNOT implement human verification, CAPTCHA by Google, and possibly CANNOT do text/call verification.
We won’t use any of Google’s CAPTCHA tools, as they do NOT provide privacy. They have to connect to Google’s servers, and it is at Google’s sole discretion to determine malicious traffic.This is a privacy project, so I doubt @JoshData would go for it.
We cannot implement human verification, because we won’t hire someone to verify your identity for free. This is an open-source and free project. We don’t have the budget, or any non-profit corporation to do such thing. Maybe we can implement something that makes it available for organizations to hire their own, and they can log people in, sort-of like a help desk.
I do not believe we can implement call/text verification, as that costs money. It might be possible if we create a non-profit corporation and create a budget for such a thing, and offer it to all users. (cough cough @JoshData cough cough) However, if we did, that creates users to constantly rely on the project’s funding, servers, and services. It also creates a privacy and security issue, as authentication would be at Mail-in-a-Box’s sole discretion, and MIAB would know what you’re doing. Also, WE don’t know malicious traffic from legitimate traffic, so uses could send thousands of spam/bogus authentication requests, and we wouldn’t know the difference. That would also create a liability issue for MIAB, as if we did know what you were doing, we would have to do something if the police came to MIAB, demanding stuff. We could always pick a few services/subscriptions that we recommend users get, and make it available to use their API.

SSH login might create a security issue, as you would be required to put in a password every time. It might be the same password as the one you’re trying to use 2FA with, and it might be different, or the admin password, which would be overkill.

Seems like the most reasonable option is to create a mobile app for authentication. Apple’s developer license costs $100. We could use jquery’s stuff to create a mobile apps using Javascript/HTML, to reduce the amount of programming needed, and reduce the learning curve for people trying to read/contribute to the code, since that is part of the decision matrix of this project. If we did do that, I imagine it would only be available to Android for a long while, because of that $100 cost for iPhone.

Doc · March 8, 2020, 8:25pm

Could we use an authenticator app for Time-based One-time Passwords like google authenticator or anothe open source app from f-droid?

JoshData · March 8, 2020, 8:48pm

2FA is, like most things, a little complicated to implement. It requires implementing a custom Dovecot authentication mechanism (Dovecot handles all authentication across all of the services running on the box), a way for end users to enroll and manage 2FA devices, a new table of app-specific passwords so that users can give non-2FA access to individual apps and a way for end-users to manage their app-specific passwords, and a last-resort way to restore access if the admin loses their own 2FA device. It would be great to have but it’s a lot of work, and if it’s not done correctly, it can lock out users and cause a lot of headaches for Mail-in-a-Box maintainers.

limitless · March 9, 2020, 9:31am

@JoshData To secure each user’s mailbox in this way might really lead to great problems as well on user’s side and is not quite easy / possible to implement, as you mentioned. But at least a simple TOTP for the admin access is already a good start to secure the whole MiaB instance. Please, consider adding at least this one.

JoshData · March 9, 2020, 11:04am

I would consider adding any sort of 2FA just as soon as anyone (not me) does the work to implement it.

openletter · March 9, 2020, 12:15pm

The only place I currently find a potential use for 2FA in MiaB might be the admin interface. For everything else, the biggest risk is just that a mail account is hijacked.

However, mail clients have poor support for 2FA, so implementation is problematic. The preferred route for mail clients to me would be unique passwords for single devices. Even if an account is compromised, the single device password cannot be used to change other device or account main passwords, so the account holder, perhaps the most likely first person to discover (e.g., bounce-backs from spammer bad address list, bank login credential change request, etc.), would be able to remedy the situation themselves.

Doc · March 25, 2020, 7:47pm

There is a plugin for Roundcube Login that makes 2FA possible. I did not test it in the current release because when i installed it wrong i can not login anymore when the plugin is still active. The solution would be removing the part of the database but i lack in knowlede how to make it practical. At least we could make some small progress for the web interface