Cannot Disable MFA for Admin access to Admin Panel

bill.gertz · March 25, 2022, 7:04pm

I can see that an admin account but not disable it with cli.py. Very Confused.

Sorry if I’m misunderstanding something basic - I’ve read the posts available but I think there is something gone Tango Uniform on my MiaB:

-  Phone was authenticator - but crashed and died. Thus lost authenticator.
-  Can view that the account has MFA registered with the admin user.
-  Trying to disable reports that user doesn't exist or have MFA registered
-  Confusion Reigns

Can show that user has MFA registered:

./cli.py user mfa show admin.xxxxxxx@xxx.xxx
id,type,label
1,totp,S22 Ultra

When I try to disable it tells me it doesn’t exist. Um, huh?

./cli.py user mfa disable admin.xxxxxxx@xxx.xxx
Invalid user or MFA id.

I have no clue other than to start fishing through the code to see what it would have done. But I have better plans for my night and am facing project deadlines. Can someone throw me a clue?

bill.gertz · March 25, 2022, 7:20pm

Ok found the answer after digging through the code - you need the mfa token id. In this case it was 1 (one):

./cli.py user mfa show admin.xxxxxxx@xxx.xxx
id,type,label
1,totp,S22 Ultra
^

So the command should have been:

./cli.py user mfa disable admin.xxxxxxx@xxx.xxx 1
                                                ^

Misread the post as, at least for me, the 1 (one) appeared on a new line and discounted it as line noise. Oops!

My trials and misfortunes are documented here should anyone else run into the same problem and need a solution.

Mischief Managed.

openletter · March 25, 2022, 7:24pm

Yes, you can see all of the available options and their syntax with:

$  mailinabox/management/cli.py 
Usage:
  management/cli.py user                                     (lists users)
  management/cli.py user add user@domain.com [password]
  management/cli.py user password user@domain.com [password]
  management/cli.py user remove user@domain.com
  management/cli.py user make-admin user@domain.com
  management/cli.py user remove-admin user@domain.com
  management/cli.py user admins                              (lists admins)
  management/cli.py user mfa show user@domain.com            (shows MFA devices for user, if any)
  management/cli.py user mfa disable user@domain.com [id]    (disables MFA for user)
  management/cli.py alias                                    (lists aliases)
  management/cli.py alias add incoming.name@domain.com sent.to@other.domain.com
  management/cli.py alias add incoming.name@domain.com 'sent.to@other.domain.com, multiple.people@other.domain.com'
  management/cli.py alias remove incoming.name@domain.com

Removing a mail user does not delete their mail folders on disk. It only prevents IMAP/SMTP login.

bill.gertz · March 26, 2022, 12:30pm

Ah, thanks for that. I have one small caveat: square brackets around a parameter usually means that it’s optional. It isn’t optional, you need to supply the token [id].

system · May 5, 2022, 12:30pm

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.