cvhoangpt
commented
4 months ago @adriangibanelbtactic please help
Open cvhoangpt opened 4 months ago
cvhoangpt
commented
4 months ago @adriangibanelbtactic please help
adriangibanelbtactic
commented
1 month ago Hi there, can you show me token manager of ose 2fa?. So when user is missing TOTP, what do they do? I see guide to download passcode number but in some case they leave this pdf.
If I'm not mistaken you should disable the user as per Disabling 2FA for an user section, let the user log in and then they should be able to setup again their 2FA as if it was an account that never set it up.
Please test this with some test accounts and report back because it would be nice to have it documented.
Also check: Re: Reset 2F Auth Secret of an account explanation where how to enable it again might be explained:
As a Admin, after setting zimbraFeatureTwoFactorAuthAvailable as TRUE. You(Admin) need to set zimbraTwoFactorAuthEnabled as FALSE so that user can login with username and password only and can setup fresh 2FA from Preference > Accounts > Account security.
zmprov ma test1@`zmhostname` zimbraFeatureTwoFactorAuthAvailable TRUE zmprov ma test1@`zmhostname` zimbraTwoFactorAuthEnabled FALSE
Please help me with these instructions after your tests and write some nice instructions that don't involve CLI so that I can improve the README.
Thanks !
cvhoangpt
commented
1 month ago Thank for your reply, do this 2fa work with IMAP or POP3?
adriangibanelbtactic
commented
1 month ago Thank for your reply, do this 2fa work with IMAP or POP3?
Yes. I beg you to read the README.
cvhoangpt
commented
1 month ago Many thanks, so do you know how to prevent brute-force attacks via imap or pop3 ?
adriangibanelbtactic
commented
1 month ago Many thanks, so do you know how to prevent brute-force attacks via imap or pop3 ?
Well, that's a bit offtopic, you could use fail2ban I guess. Many documentation is out there explaining how to use it with Zimbra.
In any case Brute-force imap while having 2FA enabled is not as easy because the cracker is targeting an specific password, not a hash collision as it happens when 2FA is not enabled.
So, yes, enabling 2FA, sort of prevents brute-force attacks being successful.
cvhoangpt
commented
1 month ago I can only say thank you very much, and I will do what you just mentioned.
adriangibanelbtactic
commented
1 month ago I can only say thank you very much, and I will do what you just mentioned.
Cool.
Waiting for your suggested 2FA token reset instructions so that we can improve the documentation.
Hi there, can you show me token manager of ose 2fa?. So when user is missing TOTP, what do they do? I see guide to download passcode number but in some case they leave this pdf.