Add Captcha protection to the Login

[PeopleInside]

Is your feature request related to a problem? Please describe.

Can be added a re-captcha protection for login? This was present in RainLoop with a plugin

Describe the solution you'd like Having a ReCaptcha plugin that protect access from brute force access. In RainLoop was present a plugin that add reCaptcha and ask to do the check after few wrong attempts to login.

Will be nice see this implemented also on snappymail for security.

A question: how configure fail2ban? I have active on Plesk, I need do some configuration for make it works on snappymail?

[the-djmaze]

Can be added a re-captcha protection for login?

You could write a plugin when needed? re-captcha is a paid service, did you consider hCaptcha?

A question: how configure fail2ban? I have active on Plesk, I need do some configuration for make it works on snappymail?

Read https://github.com/the-djmaze/snappymail/tree/master/fail2ban

[PeopleInside]

You could write a plugin when needed?

I'm not a developer so I have no idea on how to do

re-captcha is a paid service, did you consider hCaptcha?

From when Re-Captcha is a paid service? https://support.google.com/recaptcha/?hl=it#6080904

[the-djmaze]

I'm not a developer so I have no idea on how to do

Copy the RainLoop version: https://github.com/RainLoop/rainloop-webmail/tree/master/plugins/recaptcha

• Rename ajax.action-pre-call into json.action-pre-call
• Rename filter.ajax-response into filter.json-response Also read https://github.com/the-djmaze/snappymail/tree/master/plugins#readme How the hooks need to be renamed. If it still fails maybe someone can write the plugin.

From when Re-Captcha is a paid service? https://support.google.com/recaptcha/?hl=it#6080904

https://cloud.google.com/recaptcha-enterprise/pricing

[PeopleInside]

Thanks, I try to rename

Rename ajax.action-pre-call into json.action-pre-call Rename filter.ajax-response into filter.json-response

in the plugin recaptcha index.php file than uploaded in the plugin folder on the server but when I load extension page on admin UI it say it cannot access to extension so upload the recaptcha folder in plugins broken all.

I need wait someone will implement the function.

I use ReCaptcha free V2 and 3 on my websites without issue so ReCaptcha still be free also if there is an enterprise paid plan. I'm not into business so I use the V2 or V3 free.

For security will be nice have a ReCaptcha on login that is showed maybe if Login fail for XX number of time. I hope someone can help us to resolve this.

Thanks for your help.

[the-djmaze]

reCaptcha is not really secure. You could hire people that crack the captcha for $1.

Better use the TOTP/2-factor plugin.

[PeopleInside]

@the-djmaze thanks but ReCaptcha help me to stop some spam so it's doing is job.

Better use the TOTP/2-factor plugin

Yes, I have something like 10 email addresses. I activated the 2 Steps for one address but I cannot add 10 address with 10 2 steps codes.

Anyway also the guide for fail2ban help partially because I'm using Plesk... I figured ut, thanks also to the guide but also from my intuition, how setup fail2ban in Plesk for work.

Now if someone try to login with many login fail attempts will be banned. Tested and works.

You can close this issue if you want or you can keep open to have maybe an additional plugin that in the future will help to add ReCaptcha

[the-djmaze]

Yes, I have something like 10 email addresses. I activated the 2 Steps for one address but I cannot add 10 address with 10 2 steps codes.

In Settings -> Accounts you can add accounts for easy switching. Then you only need one TOTP code. The passwords of the additional accounts are stored encrypted with the password of the main account and a salt.

You can close this issue if you want or you can keep open to have maybe an additional plugin that in the future will help to add ReCaptcha

I will keep it open. I've looked at the captcha.js code and I understand why it fails. It relies on jQuery and SnappyMail doesn't have that. So maybe i will eventually modify it.

[PeopleInside]

In Settings -> Accounts you can add accounts for easy switching. Then you only need one TOTP code.

Yes but this will not "increase the security", I means without a protection on the login each single email that has not the two step active can be brute-force, also if you protect just one email address and add all other as you suggested.

Currently the good things is that I was able to configure fail2ban on Plesk to ban in the case of wrong login attempts snappy so now my login should be secure.

I will keep it open. I've looked at the captcha.js code and I understand why it fails. It relies on jQuery and SnappyMail doesn't have that. So maybe i will eventually modify it.

Great, thanks for keeping this opened and to giving an eye of attention :)

[the-djmaze]

I got it working, but you need v2.12 (not released yet) AND you must have a big CSP setting in application.ini

content_security_policy = "default-src 'self'; script-src 'self' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' data: https: http:; style-src 'self' 'unsafe-inline'; frame-src https://www.google.com/recaptcha/, https://recaptcha.google.com/recaptcha/"

[PeopleInside]

Oh so I will see supported when 2.12 will be released. Can you so add also the ReCaptcha extension to be actived in the admin panel.. I mean integrate ReCaptcha extension like is thwo two factor?

[the-djmaze]

Added ;)

[PeopleInside]

The plugin is now showed in the admin side but after insert site key and private key seems the captcha is never showed in the login page, even if I set the limit value to 0.

Was you able to see the ReCaptcha showed in the login page?

[the-djmaze]

Did you modify the content_security_policy?

[PeopleInside]

Yes only now. I can see in dev browser console:

The Content-Security-Policy directive name 'https://recaptcha.google.com/recaptcha/' contains one or more invalid characters. Only ASCII alphanumeric characters or dashes '-' are allowed in directive names.

[PeopleInside]

Maybe was a wrong update issue. I need discover how to update using FTP. Resolved.

[PeopleInside]

Can you help me to understand how to fix the error in the existing install? I'm able to see captcha work only on new install. Maybe because there is an htaccess file or something to fix in the update process?

[the-djmaze]

I will work something out to have better CSP control for this issue. Currently i'm thinking about a class/function to manage each section.

[PeopleInside]

Currently seems I cannot use recaptcha extension in my existing install. I have no checked if works with two factor also active.

If I'm not wrong in RainLoop the two step code is not showed in the login page under email and password but is asked only after the password check only if the account has the two step active. Is better maybe in this way.

[the-djmaze]

In RainLoop it gets activated after 0 - 5 failed login attempts (depends on setting). For now it is always active so that CSP can be checked, else you never know if it really works.

[PeopleInside]

Is better on RainLoop where the two steps is asked only after inserting username and password of an account that has 2 factor active.

Regarding Captcha admin can choose if set 0 for always show or set 5 , less or more errors before asking Captcha.

[PeopleInside]

Still be unable to use the ReCaptcha plugin, see: https://github.com/the-djmaze/snappymail/discussions/841