Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Self-Hosting Email with 2FA Security - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Self-Hosting Email with 2FA Security

2»

Comments

  • williewillie Member
    edited January 2018

    nqservices said: b) Desktop Mail Software (ex: Outlook using IMAP) access can only be made by using specific one-time password created just for that specific app Outlook/Computer (that tracks the access IP).

    I've never heard of mail servers associating passwords with IPs. Lots of people these days use imap clients on mobile devices, which get assigned new ip's all the time, or desktop pc's on dynamic addresses.

    I think your best bet is to get the webmail, outbound smtp, imap, and pop ports off the internet entirely, so they can only be accessed through a VPN. Then you can set up the VPN to require 2FA for activation. At the end of the day it's still email though, with all kinds of interception opportunities before it even arrives at your server. Outbound email security also depends on the security of the receiving party, which you have no control over and which is usually crap.

  • lukehebblukehebb Member

    @nqservices said:

    @MikePT said:
    Just use PGP if you want to prove that's really you sending the emails.

    My point does not has anything to do with PGP because my main objective is not to ensure the emails are sent by me. My objective is to ensure the max security on my email access.

    @svmo said:
    What is the attack scenario you are trying to protect against.

    • Brute force auth attacks ? - then individual client TLS certs or device / app specific passwords would do
    • Loss or compromise of a device with acces - Then some one time password scheme, but notice this is worthless if you have the app for generating the response on the same device.

    @lukehebb said:
    What's the point of this? That's not 2FA

    2FA is great, but proper brute force protection and a really long-ass password is generally good enough

    Email security is becoming more and more important each day. And for me the best way to stay safe is to assume that ALL my passwords were or can be in a near future hacked (yes I use password managers).

    By assuming that all my passwords are or will be hacked, I can take appropriate steps to ensure the hacker still cannot access my services and accounts. For that to be possible 2FA must be in place.

    So, in this specific case with the way ZOHO Mail 2FA works I leave bellow just one of many possible scenarios where email 2FA protection can increase a LOT the overall email security:

    Company XYZ - Example 1:

    a) Webmail Access can only be made using 2FA. This ensures that even if a hacker from the other side of the world has your passwords, he still cannot login your Webmail without the 2FA code.

    b) Desktop Mail Software (ex: Outlook using IMAP) access can only be made by using specific one-time password created just for that specific app Outlook/Computer (that tracks the access IP). This way, the hacker cannot access your email using IMAP/POP. For the hacker to gain this access he first has to hack your own computer. This turns the attack surface a lot smaller and keeps you safe in case your Password Manager (ex: Lastpass) be hacked.

    c) If the company uses web software that uses email (IMAP/POP) like for example the support desk on WHMCS or Blesta, the email piping can be setup using a one-time password for each application. This app password on ZOHO shows only one time and I can just copy/past directly to the app and not have to store it or save it anywhere. That way if the app is hacked, the hacker will only have that one-time password that can be revoked or limited by IP access. Also the hacker cannot use that specific password to access email from its computer because it’s limit my IP restriction/whitelist.

    To resume, I know that this is not a perfect security solution. But from what I’m researching is the best option in case of email security and that is why we are becoming to see a lot market share gains by email providers that offer this kind of 2FA protection.

    At least this ensures you are protected from the simplest hack, that is someone else have access to ALL your email on any computer with just the password.

    If I’m wrong, please tell me where. If you have any better ideas in terms of email security feel free to share.

    By combining your password and 2FA token you're completely missing the point of 2FA. 2FA is supposed to require a completely second method of authentication (server generates a one time use token, you are sent it in an app or SMS or something).

    All you're doing is letting me put a bit of a string in as my password, and adding a bit on the end

    Long app-specific passwords (such as Google's implementation) would be far better since none of the password is user-specified

    Securing webmail etc. with 2FA is good, and should be encouraged. I'll agree with you wholeheartedly on that

    RE the Zoho/WHMCS thing - this is where good user permissions come in to play. Only people who need to see those settings get to see those settings. Every user should be as restricted as possible (this includes directors of companies etc. too. They're normally the biggest targets!)

  • BluRayBluRay Member

    Rainloop does support 2FA and offers a free version. https://www.rainloop.net/

Sign In or Register to comment.