Exim 2FA two factor authentication
- Thread starter tarta
- Start date
Two factor authentication is not supported on email protocols. If you were to enforce such a thing (though no such function exists in exim), no one would be able to use any standard email client, only one modified to work with it. What leads to the common misunderstanding are services like Gmail which have become so popular that email client developers have actually built in their proprietary login systems into their software.
ok, if I can't enforce it on server level - how can I enable it to individual accounts to use e.g. TOTP as 2FA?
what I want to achieve is:
- enable 2FA for email logon via e.g. roundcube for dialog logon
- generate application-password for non-interactive (e.g. Outlook / SMTP) mail access
what are the options?
what I want to achieve is:
- enable 2FA for email logon via e.g. roundcube for dialog logon
- generate application-password for non-interactive (e.g. Outlook / SMTP) mail access
what are the options?
for now I've implemented https://packagist.org/packages/alexandregz/twofactor_gauthenticator
but I need also an option to generate application-password for non-interactive (e.g. Outlook / SMTP) mail access
but I need also an option to generate application-password for non-interactive (e.g. Outlook / SMTP) mail access
Richard G
Verified User
This does not exist in DA. It's not Apple. Apple is requiring application passwords if you're not using an Apple device for example for your mail.
So this application password must be generated on the Apple site.
For email there is a separete password for the DA login and email account login. So those are already different passwords. So why should there be another different password?
If you mean something else, please explain, I might have misunderstood something.
DA does not have something like that, neither does any other panel.
If you want this, best way is to suggest this via a feature request. People interested can vote on that and then it might get added. This has to be done at the feedback forum, you have to create a seperate login for that.
DirectAdmin Feedback
feedback.directadmin.com
While that's nice and cool, you'll have to disable external access to Dovecot/Exim to prevent people from just logging directly into the mail server with any other email client. Roundcube is just one email client, so that is in fact all that is limited by the plugin. It may provide your users with a sense of security, but I would argue that it's a false sense.
I actually wrote an article about this: https://mxroute.com/docs/#/Security/2fa
arbours
Verified User
One of the major problem tho that will continue to happen is that, and become worst with time, is that if we do not find a proper way to integrate 2FA with exim and dovecot, even if that mean to use an add-on in outlook or thunderbird, is that business and enterprise will continue to exile to security compliant provider such as Microsoft or Google, who offer the 2FA, mainly because the compliance audit and technological insurances do start to require it or it is considered a risk.
And let be honest, while Roundcube is all cute and everything, it is clearly not a professional mail client like Thunderbird or Outlook (desktop version), not mentionning add-on integration for other software, or security speaking (displaying html content in a web browser, instead of a mail client downloading mail and being able to scan it with various security system before it is delivered and/or shown to the end client.
As far as I understand, 2FA using certificates (even if the management of this is a real PITA), is one another possibility, right ? Something that is cross platform compatible like a Yubikey with SmartCard PIV capability or something similar ?
And let be honest, while Roundcube is all cute and everything, it is clearly not a professional mail client like Thunderbird or Outlook (desktop version), not mentionning add-on integration for other software, or security speaking (displaying html content in a web browser, instead of a mail client downloading mail and being able to scan it with various security system before it is delivered and/or shown to the end client.
As far as I understand, 2FA using certificates (even if the management of this is a real PITA), is one another possibility, right ? Something that is cross platform compatible like a Yubikey with SmartCard PIV capability or something similar ?
Certainly I agree but this is outside of the scope of DirectAdmin. They're not going to pursue an experimental (if it even exists) build of apps that breaks every regular user's expectations, software, etc. Instead, you'll want to look into building a new RFC for how email works, getting acceptance by all stakeholders (and learning who those are), and then lobbying for the change with the developers of Dovecot and Exim, as well as the major email client developers. I'm sure the rest would follow if you get those on top of the industry behind you.
Now if you're up for building plugins to these apps and open sourcing them, that might help create more pressure to normalize their behavior.
arbours
Verified User
Actually, since the certificates management is one way that already exist, DirectAdmin (the Pro Pack), could possibly think about integrating an UI to make certificate based authentification easier.
I for one would probably switch a couple of server to monthly license if that was a thing, just because of compliance. Being compliant is not an "expectation", it is a business requirement for any serious business these days.
Beside, to acheive a real true 2FA, it would simply require dovecot/exim to have a sub-table for storing otp/u2f challenge to know which users has 2fa, and who doesn't, and then return a specific error code for requiring 2FA challenge (or not). the rest of the mail client integration can be left to developpers and sub-developpers (add-on), but until like you said, that someone think about updating the RFC, and then implement the change, I guess the popularity and adoption will simply shrink with time, and business will continue to force their way out of it, because sadly, we're in 2022.
Last edited: