On 7/4/22 15:32, Michael Peddemors wrote:
It IS possible to use 2FA on Dovecot, but it would be better if
Dovecot supported options by Plugins to control what supported 2FA
options are supported in the CAPABILITIES string. (Ongoing problem
getting more power in the handles of 3rd party plugins for Dovecot,
politics.. )
HOWEVER, there are many ways if you 'roll your own' dovecot, eg can
apply patches to the build process. We do this.
Having said that, yes.. especially in North America this push by
insurance agents for 2FA, is driven by the RansomWare problems, and
gives an insurance company a way out..
The only problem is, having looked at several of these insurance
companies forms, it is almost as if a o365 sales person wrote the
requirements. And even IF you apply a 2FA, (eg a 2nd factor) you
might find that the insurance documents will not accept anything other
than what their legal department defined as 2FA..
The biggest problem, is not the use of 2FA, it is making 2FA
transparent and simple enough for end users to adopt. End users don't
want to mess with a second factor they have to add, or a hardware
dongle, or giving their cel# out..
Which, as long as I'm the one paying for the service, isn't going to
happen. When they start paying my net bill, is when they can send me
spam. And not 1 millisecond before.
And the industry has to come together, otherwise you will quickly find
out insurance companies ONLY accept 2FA from one or two closed source
companies..
Which is why once again, I wish that Dovecot would take a leadership
role in this, and allow more 3rd party plugins to be available to
address this business need.
(Oh, on the side, there ARE some ways you actually do 2FA
transparently, but of course the email client has to understand it.
But while you can do 'tricks' even in IMAP for 2FA, we need to think
that the same method should work for ALL communication channels which
utilize the same credentials, eg IMAP/SMTP/POP, even other things like
caldav/carddav etc)
-- Michael --
This seems to be a place where the ITEF (IETF?)has seriously dropped the
ball. They do not well understand the chaos that will be created if THEY
do nor set a cast iron std that even Redmond can follow or go home. I
don't think we can scream that too loud if THEY don't get off the dime
and do something toward setting a standard. That is, according to what I
read, part of their job. So pester them until they do it. By whatever
means is at your disposal.
On 2022-06-27 07:53, justina colmena ~biz wrote:
I don't see why not.
Dovecot and Postfix are entirely configurable to connect to and use
any desired authentication mechanism through certain basic interfaces.
The main problem I have experienced with MFA is a continual battle
with extortion, "long cons," and thievery in law -- that the thieves
are able to obtain one of the necessary factors for authentication --
a dongle or cell phone app or access to a cell phone number, or
surveillance intelligence on calls or texts, whatnot -- whether by
force or deception -- and then deny the targeted individual access to
his or her own account.
Later on, after the victim has given up, the thieves are able to
obtain the other factors for authentication, and then proceed to
social-engineer a false account recovery using the victim's stolen
I.D. -- and then they often as not falsely report the victim to
gullible or complicit police forces as the thief.
If the victim cannot be successfully accused of theft in court, the
"thieves in law" at work with inside help in government and law
enforcement communities are able to cast identity theft as a mental
illness akin to dissociative identity disorder -- to which the
government offers nothing but a mental health "recovery" plan which
does not include any actual recovery of the stolen assets in a
person's name.
* https://www.identitytheft.gov/
* https://www.robodeidentidad.gov/
Casting identity theft as a mental health issue further enables
thieves to take control of a victim's finances by possibly being
appointed as guardians or payees in court. For the same reasons of
legalized theft, extortion, and wrongful appropriation through state,
local, military and federal court systems, individuals with similar
names to known criminals are not allowed to hold significant assets
in their names or possess firearms or obtain employment in sensitive
positions in the United States.
* https://en.wikipedia.org/wiki/Thief_in_law
On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley wrote:
I have a small client whose insurance company insists they have MFA
for their email to be covered under some kind of data protection
policy. Currently I have the client set up on a Debian box for the
email server coupled with roundcube for webmail. Most the users just
use roundcube but some also use their mobile devices to check email.
Maybe one person uses outlook. There’s about 5 to 10 users total.
I know roundcube offers a MFA plugin. But I don’t have the foggiest
idea how of an iPhone, Android device, or Outlook could all be set
up to work with MFA with a standard dovecot/postfix setup. Are there
any practical solutions for easily implementing MFA that could work
across multiple devices?
Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/>
