In addition to Roundcube, it is also possible to check and send email using any mail software that uses IMAP and SMTP. Since it wouldn’t provide any meaningful security to only restrict Roundcube with 2FA and not also IMAP and SMTP, and there is no easy solution for IMAP and SMTP, I don’t include a 2FA option for Roundcube to avoid giving any false sense of security.
I would love to have a solution that addresses IMAP and SMTP as well, but we don’t.
I think we have a different understanding of the use cases.
I use a mail client (e.g. Thunderbird) only on a piece of hardware that I own and where I can establish security measure, e.g. desktop PC or mobile phone, whereas I use a webmail client on hardware that I don’t own, e.g. internet cafe.
For the later, in order to increase security, I must add a 2nd authentication, and this could be 2FA.
I hope this differentiation makes clear why 2FA is required for webmail client.
No ofense, but I don’t think you’re the one not seeing the full picture here
2FA for Roundcube only really increases security if you don’t allow IMAP and SMTP connections from email clients and you exclusively use Roundcube to send and receive emails, or if you restrict access for email clients to a small numbers of IP addresses.
If you don’t do either of these things, anyone can access the IMAP and SMTP ports directly, where 2FA is not required.
I think it is clear that 2fa on roundcube does not protect access to IMAP or SMTP email.
Is there a point in arguing that it protects (perhaps very little) against an opponent gaining access to a php executing environment (in this case via Roundcube).
However I don’t agree with the conclusion.
Although I don’t restrict access for email clients this is not an argument for not using 2FA with webmail client Roundcube.
There’s still a difference using a web browser (e.g. in an internet cafe) vs. a email client installed locally.
By the way:
Access restriction for email clients to some IP adresses is effectively impossible using a laptop that is connected to different wifi networks.
Certainly a VPN would increase security, however if I use a VPN provider, e.g. ivpn, this won’t guarantee my IP either to be identical with each connection attempt.
I hope you don’t actually do that, because if an attacker somehow gets to know your password, Roundcube’s 2FA won’t protect you, as the attacker will the able to use your password to directly access your account via IMAP and SMTP.
However, If you only use an email client on your personal device, the likelihood of your password being exposed is minimal unless your device has somehow been compromised. Without knowing the password, the only option for a potential attacker is to try to bruteforce your account, which will effectively prevented by Fail2ban.
That was actually the point I was trying to make. And as far as I understand it, that’s also the point Josh was trying to make.
Since restricting access to specific IP addresses or blocking IMAP and SMTP altogether is usually not feasible, 2FA on Roundcube would not actually increase the security of your email account. It would only do so if Roundcube were the only access method available, or if all other access methods were also protected by 2FA.
Not sure if it would even be possible to get full access to a mailbox that way, and if it were, I’m not sure if 2FA would even come into play. But I’m neither a dev nor a professional pen tester, so honestly, I don’t know.
Opponent has somehow gotten the password, so mailbox is already compromised.
What if opponent is not interested in the mailbox, but in taking over the VPS box itself? If there is some kind of flaw in the Roundcube programming, the opponent might obtain some kind of control over the VPS box.
Perhaps very unlikely, but that’s why I’m asking here
I suppose if there is a vulnerability in Roundcube it could allow an attacker who is already logged in to upload a file and then execute it. Such a payload could then perhaps be used to modify Roundcube in a way that would allow the attacker to obtain passwords for other accounts as well.
In order to take control of the server, i.e. gain root access, it would be necessary to exploit further vulnerabilities in the underlying operating system and/or in the PHP packages installed on the system. Such an attack would probably also require that mistakes have been made in the configuration of the server and the tools provided in order to be successful.
I think it’s extremely unlikely …at least as long as you keep your server up to date and don’t modify Mail-in-a-Box or anything else on your server in a way that negatively affects security.
For what it’s worth, Fastmail offers a 2fa solution which, when enabled, requires the generation of “app passwords” for all services (IMAP, SMTP, etc). Nextcloud does this for CalDAV/CardDAV clients when 2FA is enabled. I’m sure there’s a way to implement something similar in MiaB, BUT, it boils down to WHO has the time/resources to develop a solution and submit a PR to the project.
But yeah, in order for 2fa to be effective, it should protect everything behind the account, not just a single layer. Which is why I don’t use it in Nextcloud. What’s the point? Also, it’s just myself and one other account on the system.