Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Self-Hosting Email with 2FA Security
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Self-Hosting Email with 2FA Security

nqservicesnqservices Member
edited January 2018 in General

Hi,

Does anyone knows a self-hosting commercial or open-source email software that has 2FA as security feature?

Thanks

«1

Comments

  • vovlervovler Member
    edited January 2018

    You got mautic, not sure if it has 2FA, but since it's open source you can code something into it.

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2018

    I'm not aware of any preconfigured environment for that which has any reasonable security. The problem is that you have to build custom solutions on top of the mail server because all of the email protocols (POP, IMAP, SMTP) do not support 2FA. Google gets away easy with this because their name is so large that email clients will seek to accept their login implementation, but not just anyone is going to have that kind of weight. The rest of us would have to deal with application specific passwords at best, which is not 2FA but a workaround/backdoor for it. Frankly, that's what Google lets you do for applications that aren't developed to use their custom login.

    Short version is that it's not possible. Long version is that it's possible if you carry a lot of weight or intend to only function with email clients that you produce, but then such an open source preconfigured environment is not available to my knowledge.

    Thanked by 1Aluminat
  • Hi @jarland,

    Thanks for the information. Yes I think you are right.. using POP/IMAP/SMTP will not work. So the only way I see it, is by using a phone app that can support 2FA and only check the email on the browser or in the phone app (ex: protonmail)

    I have asked this because with the recent security issues found in CPUs, email security is at least for me an increasing concern.

    Hope the email industry can find ways to work out this. 2FA is critical for security (specially using a yubikey4).

  • Mr_TomMr_Tom Member, Host Rep

    I use mailcow for some things and there is an option for the webmail/admin interface to use 2FA, although I've not looked into it so can't comment on if it will work for your needs.

  • @Mr_Tom said:
    I use mailcow for some things and there is an option for the webmail/admin interface to use 2FA, although I've not looked into it so can't comment on if it will work for your needs.

    That seems a good start! Anyone using 2FA with mailcow?

  • Mr_TomMr_Tom Member, Host Rep
    edited January 2018

    Just re-read some of the docs and it does mention support for yubikeys.

    Although it doesn't seem to explicitly say, it seems the 2FA is only on the admin area. There is some info on the SOGo bugs pages about implementing 2FA there though, which may or may not be useful.
    Edit: SOGo being the webmail suite mailcow uses.

  • @Mr_Tom said:
    Just re-read some of the docs and it does mention support for yubikeys.

    Even if they don't support FIDO UF2, you can always get it to work with a Yubikey4, since it can act and replace the 2FA on the phone (ex: Google Authenticator). I have bought some Yubikeys some months ago and since then switch all 2FA from phone to the Yubikey. It's a lot more secure.

  • And how does this work in practice? I mean, does your phone ping you to enter a current 2nd factor every time IMAP IDLE connection breaks? Like, how often will that be then?

  • CrossBoxCrossBox Member, Patron Provider

    We did integrate 2FA for IMAP in our stand alone version. Here is how it works:

    First, you activate 2FA via application interface as seen here

    Then, when you want to log in via web application, you first provide password for email account and if it's correct, you'll be asked for PIN code as seen here

    However, if you read email via some other mail client like Thunderbird and you have 2FA enabled, then you'll need to specify 2FA code along with your password by merging them together using the following format: password|PINcode

    This is currently the only way to support 2FA in all mail clients and provide some additional security for IMAP. The PIN code expires for IMAP session every X hours (you specify how often when setting up 2FA).

    This way every time the PIN code expires, your mail client will ask you to re-login.

  • @southy said:
    And how does this work in practice? I mean, does your phone ping you to enter a current 2nd factor every time IMAP IDLE connection breaks? Like, how often will that be then?

    In practice it works in a very simple way:

    a) Install the ProtonMail app on Phone
    b) Setup Account with username + password
    c) It asks for the 2FA code. You enter the code.

    After that the phone will not ask for the 2FA code again. When access using webmail it always asks for 2FA. The only thing Protonmail does not has is IMAP/POP/SMTP access.

    @CrossBox said:
    We did integrate 2FA for IMAP in our stand alone version. Here is how it works:

    That seems really cool! Do you provide that service? What are the details and prices? Also what's your website so I can check.

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2018

    nqservices said: In practice it works in a very simple way:

    a) Install the ProtonMail app on Phone b) Setup Account with username + password c) It asks for the 2FA code. You enter the code.

    That's the key, it only works in a reasonable way when you're using an application designed to work on that service, or when you're so big (like Google) that no one wants your software unless it works with your specific implementation.

    I think application specific passwords is the way to go tbh. Generate an app specific password for each one, all authenticating on the same account, and put 2FA on any web facing frontends, where the web facing PW doesn't work for IMAP/POP/SMTP. It's not true 2FA, but it basically says to the customer "You can use the secure method or the less secure standards, do as you please."

  • CrossBoxCrossBox Member, Patron Provider

    @nqservices The app is currently running with limited number of providers, in closed beta stage. We had a thread here on LET about the app and we are currently wrapping everything up before launching a public release, which should be very very soon.

    Until then you can check out this thread in which we described some of the app's powerful features.

  • nqservicesnqservices Member
    edited January 2018

    Just now found that ZOHO even on their free plan support 2FA for webmail including specific codes to use with IMAP on applications: https://www.zoho.eu/mail/help/adminconsole/two-factor-authentication.html

    At a first look it really seems to be a good model in terms of security for email. Anyone using ZOHO Mail? Are they reliable?

  • jarjar Patron Provider, Top Host, Veteran

    @nqservices said:
    Just now found that ZOHO even on their free plan support 2FA for webmail including specific codes to use with IMAP on applications: https://www.zoho.eu/mail/help/adminconsole/two-factor-authentication.html

    At a first look it really seems to be a good model in terms of security for email. Anyone using ZOHO Mail? Are they reliable?

    They had a rough patch a while back but they were heavily praised before it, and I've heard few bad things since their recovery. You're always going to hear SOME bad things, so when I say few I mean about what I'd expect to hear about any (mxroute included).

  • WSSWSS Member

    "Self hosting email with 2FA" is about as derp as it gets.

    Your TLS connection is the least of the concern.

  • @WSS said:
    Your TLS connection is the least of the concern.

    What should be my major concern?

  • WSSWSS Member

    @nqservices said:

    @WSS said:
    Your TLS connection is the least of the concern.

    What should be my major concern?

    The security of your mailspool.

    Thanked by 1szarka
  • @WSS said:

    @nqservices said:

    @WSS said:
    Your TLS connection is the least of the concern.

    What should be my major concern?

    The security of your mailspool.

    Ok.. so what is your advise?

  • WSSWSS Member

    @nqservices said:

    @WSS said:

    @nqservices said:

    @WSS said:
    Your TLS connection is the least of the concern.

    What should be my major concern?

    The security of your mailspool.

    Ok.. so what is your advise?

    If you can't trust your own administative capabilities of keeping it safe, 2FA won't be the problem.

  • @WSS said:

    @nqservices said:

    @WSS said:

    @nqservices said:

    @WSS said:
    Your TLS connection is the least of the concern.

    What should be my major concern?

    The security of your mailspool.

    Ok.. so what is your advise?

    If you can't trust your own administative capabilities of keeping it safe, 2FA won't be the problem.

    Ok, so from your point of view anyone that "trust" their own administrative capabilities cannot be hacked. I supose that is your case, correct? From your comments it seems you really trust your admin capabilities, so I guess you are hack proof! If at least NASA and the FBI or even Intel had you working for them none of the past hacks would have happen.

    I really feel happy for you! Wish I had the "trust"! ;)

  • WSSWSS Member

    @nqservices I was trying to be helpful by pointing out the logical fallacies of your own ideals-as-truths, but you know what? I'm done. Eat a dick.

  • @WSS said:
    @nqservices I was trying to be helpful by pointing out the logical fallacies of your own ideals-as-truths, but you know what? I'm done. Eat a dick.

    Very polite.. people with behaviour like you are just not worth my time. Insulting me, when I was nothing but polite?! I was raised different!

    And its also bad for this community, when trying to have a conversation about a usefull topic (email 2fa security) and you come with comments that instead of helping...

    Feel free not to comment on any more of my topics and I will try to do the same on yours.

    Have (or get) a nice life!

  • WSSWSS Member

    @nqservices said:

    @WSS said:
    @nqservices I was trying to be helpful by pointing out the logical fallacies of your own ideals-as-truths, but you know what? I'm done. Eat a dick.

    Very polite.. people with behaviour like you are just not worth my time. Insulting me, when I was nothing but polite?! I was raised different!

    I wasn't going to reply, but you instantly went into CIA/NSA/etc as a counterargument, when I only said "Your mailspool is as secure as your access." It wasn't political at all.

    And its also bad for this community, when trying to have a conversation about a usefull topic (email 2fa security) and you come with comments that instead of helping...

    Much like your political skew.

    Feel free not to comment on any more of my topics and I will try to do the same on yours.
    Have (or get) a nice life!

    Agreed. We can fuck off from eachother forever.

  • If you just mean for webmail, then as you found, 2FA is not a big deal. For pop/imap/smtp, as Jarland says, it's more complicated. The hardcore way to do it would be to disallow access to pop/imap/smtp except through SSL connections authenticated with client certificates, or require the use of a VPN secured by 2FA. I don't know of anyone who actually does that for email, which is generally considered a low security medium.

  • nqservicesnqservices Member
    edited January 2018

    @willie said:
    If you just mean for webmail, then as you found, 2FA is not a big deal. For pop/imap/smtp, as Jarland says, it's more complicated. The hardcore way to do it would be to disallow access to pop/imap/smtp except through SSL connections authenticated with client certificates, or require the use of a VPN secured by 2FA. I don't know of anyone who actually does that for email, which is generally considered a low security medium.

    As said on my comment about ZOHO they have 2FA for webmail and then a way to also work with a static code for apps, like Outlook and others that use IMAP or POP. I leave again the link so you can read the details, specially the section "Generating Application-Specific Passwords"

    https://www.zoho.eu/mail/help/adminconsole/two-factor-authentication.html

  • nqservices said: static code for apps, like Outlook and others that use IMAP or POP.

    Right, that's basically a password, i.e. 1 factor. You were asking about 2FA and that isn't it.

    Thanked by 1jar
  • MikePTMikePT Moderator, Patron Provider, Veteran

    @willie said:
    If you just mean for webmail, then as you found, 2FA is not a big deal. For pop/imap/smtp, as Jarland says, it's more complicated. The hardcore way to do it would be to disallow access to pop/imap/smtp except through SSL connections authenticated with client certificates, or require the use of a VPN secured by 2FA. I don't know of anyone who actually does that for email, which is generally considered a low security medium.

    Correct. Theoretically, you can make the password have the 2FA to include it, but, still, it's not that very practical. 2FA in Webmail makes sense, though it doesn't in SMTP, etc, IMHO.

    Just use PGP if you want to prove that's really you sending the emails.

  • What is the attack scenario you are trying to protect against.

    • Brute force auth attacks ? - then individual client TLS certs or device / app specific passwords would do
    • Loss or compromise of a device with acces - Then some one time password scheme, but notice this is worthless if you have the app for generating the response on the same device.
  • CrossBox said: However, if you read email via some other mail client like Thunderbird and you have 2FA enabled, then you'll need to specify 2FA code along with your password by merging them together using the following format: password|PINcode

    What's the point of this? That's not 2FA

    2FA is great, but proper brute force protection and a really long-ass password is generally good enough

  • nqservicesnqservices Member
    edited January 2018

    @MikePT said:
    Just use PGP if you want to prove that's really you sending the emails.

    My point does not has anything to do with PGP because my main objective is not to ensure the emails are sent by me. My objective is to ensure the max security on my email access.

    @svmo said:
    What is the attack scenario you are trying to protect against.

    • Brute force auth attacks ? - then individual client TLS certs or device / app specific passwords would do
    • Loss or compromise of a device with acces - Then some one time password scheme, but notice this is worthless if you have the app for generating the response on the same device.

    @lukehebb said:
    What's the point of this? That's not 2FA

    2FA is great, but proper brute force protection and a really long-ass password is generally good enough

    Email security is becoming more and more important each day. And for me the best way to stay safe is to assume that ALL my passwords were or can be in a near future hacked (yes I use password managers).

    By assuming that all my passwords are or will be hacked, I can take appropriate steps to ensure the hacker still cannot access my services and accounts. For that to be possible 2FA must be in place.

    So, in this specific case with the way ZOHO Mail 2FA works I leave bellow just one of many possible scenarios where email 2FA protection can increase a LOT the overall email security:

    Company XYZ - Example 1:

    a) Webmail Access can only be made using 2FA. This ensures that even if a hacker from the other side of the world has your passwords, he still cannot login your Webmail without the 2FA code.

    b) Desktop Mail Software (ex: Outlook using IMAP) access can only be made by using specific one-time password created just for that specific app Outlook/Computer (that tracks the access IP). This way, the hacker cannot access your email using IMAP/POP. For the hacker to gain this access he first has to hack your own computer. This turns the attack surface a lot smaller and keeps you safe in case your Password Manager (ex: Lastpass) be hacked.

    c) If the company uses web software that uses email (IMAP/POP) like for example the support desk on WHMCS or Blesta, the email piping can be setup using a one-time password for each application. This app password on ZOHO shows only one time and I can just copy/past directly to the app and not have to store it or save it anywhere. That way if the app is hacked, the hacker will only have that one-time password that can be revoked or limited by IP access. Also the hacker cannot use that specific password to access email from its computer because it’s limit my IP restriction/whitelist.

    To resume, I know that this is not a perfect security solution. But from what I’m researching is the best option in case of email security and that is why we are becoming to see a lot market share gains by email providers that offer this kind of 2FA protection.

    At least this ensures you are protected from the simplest hack, that is someone else have access to ALL your email on any computer with just the password.

    If I’m wrong, please tell me where. If you have any better ideas in terms of email security feel free to share.

Sign In or Register to comment.