2FA and application passwords for users

[philipszalla]

Summary

A clear and concise description of what the problem is. For example: I'm always frustrated when [...]

I would like to secure my mailbox in mailcow with a second factor (e.g. TOTP, U2F, ...).

Motivation

What are you about to solve or improve with this idea? What would be the benefit for most users?

This would be a security improvement for users. Admin already has 2FA

Additional context

Add any other context or screenshots about the feature request.

Obviously SoGo already has a feature for TOTP. But this affects only the SoGo login.

It would be nice, when I would be able to add application passwords for my clients (thunderbird, outlook, iOS Mail, Android Mail) and my normal password would only work for SoGo in combination with the TOTP.

I think this needs a custom configuration page for application passwords in SoGo, so the user is able to configure it on it own.

Nextcloud and Gitea have similar approaches.

[andryyy]

Duplicate

[philipszalla]

@andryyy could you explain this?

duplicate

I looked into the issues #1348, #3698 and #3736 and none of them discussed a direct implementation of 2FA in mailcow without oauth integration. The issue #740 tried to solve it but is closed now.

[andryyy]

Have not checked, enotime, but I will re-open it then. :)

[MAGICCC]

Do I understand it right you want app passwords for your clients? If yes, you can create separate accounts when you login with your mailbox user @ the controlpanel and go to the 'App passwords' tab. (SOGo won't work with app passwords)

If you want to have 2FA for IMAP, nope that won't happen since there's no real approach yet to include this to postfix and such.

[philipszalla]

@MAGICCC yes you’re right.

But can I still use the regular password for imap and smtp? This should be disabled (because I want to use 2FA or the very strong application passwords) And can I enable2FA for the controlpanel, too?

[andryyy]

We could add WebAuthn/TFA to users, disable IMAP and SMTP for those accounts and put a proxy in front of SOGo to authenticate via key. Only app passwords would work with IMAP and SMTP then. This would exclude access to calendars and address books from external access obviously. Only IMAP and SMTP would still work with app passwords.

[andryyy]

@mkuron it's an older topic, but what's your opinion on this?

[mkuron]

It‘s been a long time since I looked at this. We already have app passwords for IMAP/SMTP. What we don‘t have is app passwords for SOGo (EAS, CalDAV, CardDAV), but adding support for them could be as simple as adding a while loop around https://github.com/inverse-inc/sogo/blob/f0980a9cbd14e0fab163be71e4e260bde67d7ee9/SoObjects/SOGo/SQLSource.m#L303-L306. Then, the only missing piece is 2FA for SOGo when you access it via web browser — I don‘t really know what modifications that would require on the SOGo side though.

[MAGICCC]

I don‘t really know what modifications that would require on the SOGo side though.

Since SOGo have 2FA via TOTP, isn't it possible to dupe the code/hash from mailcow SQL to SOGos table?

[mkuron]

That might actually work, it‘s stored in the user preferences field: https://github.com/inverse-inc/sogo/blob/8b4b55927eaf42f7a39b8c34218ffb408c07c481/SoObjects/SOGo/SOGoUser.m#L1138.

One other thig I forgot earlier is that we need to block logging into IMAP/SMTP, as well as EAS/CalDAV/CardDAV, with the normal password when 2FA is enabled and only allow the app password for that. For IMAP/SMTP that‘s easy enough to do, but for SOGo it requires more work (probably more than a two-line patch).

[andryyy]

I would prefer the way of an authentication proxy and allow for more mechanisms than TOTP. :)

[Daniel15]

For me the ideal implementation would be that TFA-protected passwords and non-TFA protected passwords are totally separated, meaning:

1. Interfaces that support TFA (SOgo, Mailcow UI, etc) do not allow logging in using app passwords that do not use TFA
2. Interfaces that do not support TFA (IMAP, SMTP, POP3, etc) do not allow logging in using passwords protected by TFA (ie. the main user password)

It sounds like you're already thinking along those lines @andryyy

If it's hard to implement TFA for SOGo, I'd personally be fine with only allowing the user's main password to be used for the Mailcow UI, with TFA enforced, and require app passwords for everything else (SOGo, IMAP, SMTP, etc.). Maybe as an optional setting.

[beerlao]

Sorry for chipping in, here. I would love to have 2FA for users as well as I integrated Nextcloud via Social Login (following your great documentation). There is no way to have Nextcloud secured via 2FA while using the Social Login App - 2FA would have to be done at Mailcow Login Level. In a first attempt you could leave the logic behind IMAP, SMTP and SoGo untouched. That should be a rather small change to just add 2FA for users, shouldn't it?

Next step then could be to enforce app passwords for IMAP and SMTP when 2FA is enabled. SoGo seems to be more complicated.

[snevas]

If it's hard to implement TFA for SOGo, I'd personally be fine with only allowing the user's main password to be used for the Mailcow UI, with TFA enforced, and require app passwords for everything else (SOGo, IMAP, SMTP, etc.). Maybe as an optional setting.

If SOGo does not support (some) TFA methods yet, you could use the mailcow UI flow to login with TFA and then use the "Login to webmail" button to single sign-in to SOGo. Apposed to having a app password for that as well or using the main password. Then you could disable direct access with the credentials to all protocols and only allow App passwords without TFA.

In the last few days I've tested mailcow extensively, and TFA missing at mailbox-level is the only feature I am missing. Would switch from my current self-hosted solution in a heartbeat if this was possible.

Last remark: U2F in the startpost should be WebAutn/FIDO2 as second factor as U2F is legacy.

[KiaraGrouwstra]

thread about XOAUTH2 (2FA for IMAP) + dovecot/postfix

[VermiumSifell]

I think this is implemented @DerLinkman

[zandercodes]

Every one knows status? totp is useless if you can log in via smtp and imap.

[snevas]

You could also disable all direct acess and use the primary password with MFA to login to mailcow UI and then use the SSO button for SoGo. If you still need smtp / imap you can use app specific passwords on top of that that won't compromise your primary password.

[zandercodes]

You could also disable all direct acess and use the primary password with MFA to login to mailcow UI and then use the SSO button for SoGo. If you still need smtp / imap you can use app specific passwords on top of that that won't compromise your primary password.

I have activated 2fa for my Mailcow e-mail inbox, but I can still log in via imap without an app password. TOTP is then useless if you can access imap via your main password.

EDIT: I forgot disable imap in the account. Now works

[snevas]

Have you disabled the direct access in the mailcow settings? You can then use the top button to login to SoGo, without being able to use the SoGo login directly and it will enforce all the OTP / WebAuthn security settings that mailcow offers.

[brandoningli]

Could someone point me to where you'd adjust the direct access settings? I think I see where the IMAP, POP3, SMTP, and Sieve controls are, but I see no trace of the SOGo control.

[snevas]

As said in the text, you need to login as a admin, Email > Configuration > Mailboxes > Edit > Allowed protocols. If you uncheck everything directly logging in with the main password to with these protocols is disabled. If you uncheck "Grant direct login access to SOGo" on the same page, directly logging in with the main password to SoGo is disabled. Only the SSO button in my previous screenshot will work to login to SoGo.