I think it's only 12 steps. There are people who need to sober up.... On July 15, 2021 8:54:16 AM AKDT, Sebastian <sebast...@sebbe.eu> wrote: >The thing is, that people must stop expecting "being able to access >mail whenever you are" without extra steps. > >Best solution is to offer a webmail with TOTP or SQRL or similiar >secure auth method. > >Then have that webmail adds IP or country into trusted list, so if you >want to access IMAP mail or SMTP mail from hotel wifi, you have to >simply do one single login to webmail, and then your IMAP/SMTP will >work as usual. > >The problem with certificates, is as I said, not many clients support >them. Outlook support them natively, I don't know if Windows Mail >support them, and I don't know if Samsung Mail do support them (maybe >they do support client certificates in Enterprise mode, but then you >need a license for that), K9 mail I know support them, other built-in >email clients I don't know if they support client certificates. > >The solution I have on my email is a OpenVPN connection to my server, >which is protected. My phone has a 24/7 connection to that VPN server, >and thus im able to lock out all logins outside from VPN. > >-----Ursprungligt meddelande----- >Från: dovecot-boun...@dovecot.org <dovecot-boun...@dovecot.org> För >@lbutlr >Skickat: den 15 juli 2021 18:37 >Till: dovecot mailing list <dovecot@dovecot.org> >Ämne: Re: 2FA/MFA with IMAP & postfix/submission > >On 2021 Jul 15, at 08:52, Alex <mysqlstud...@gmail.com> wrote: >> Client certs appears to be a good solution. > >A solution, certainly. A GOOD solution? Not really. > >> What's the process for managing them with more than a hundred client >accounts? > >And that's the first issue. > >The second issue is "my primary device is not available, I need to >login from this other computer or use my phone which is unsuitable for >this task. Too bad I have no choice but to use the phone because this >computer doesn’t have the cert." > >And then you have the "now that I've installed this cert, theis >computer is considered trusted" which is another issue. > >2FA is a lot more flexible and robust. > >OATH works well. SQRL looks promising though it requires a web UI I to >do the authentication (and SQRL does away with passwords as well). > >> I believe the problem they are trying to solve is hacked accounts >from >> compromised passwords. Does client certs solve that problem? > >Maybe. Depends on if the hacker can get access to the user's machine or >not. > >> Perhaps there are dovecot (and postfix submission) options to at >least >> restrict access by IP? > >It is certainly possible in Postfix, but that opens up its own issues. >It may be acceptable in some corporate environs, but in most situations >being able to access your email wherever you are is a requirement. > >-- >The wages of sin is death, but so is the salary of virtue, and at > least the evil get to go home early on Fridays. --Witches Abroad
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
