> On 15/07/2021 18:37 Camilo Sperberg wrote:
>
>
> Hi all:
>
> We are currently in the process of setting up dovecot proxy so that we can
> deploy multiple machines in order to keep growing.
>
> We are trying now to create an entry point, and from there send the traffic
> to either the sam
On 15/07/2021 20.03, Gerald Galster wrote:
I have a better idea:
Have a function for whitelisting IPs, possible /24's or similiar, where a
login to roundcube or other webmail client (with 2FA) will add the IP onto a
whitelist for that account.
You could do that with fail2ban. eg
https
I think it's only 12 steps. There are people who need to sober up
On July 15, 2021 8:54:16 AM AKDT, Sebastian wrote:
>The thing is, that people must stop expecting "being able to access
>mail whenever you are" without extra steps.
>
>Best solution is to offer a webmail with TOTP or SQRL or si
You can get away with a lot for a personal server that wouldn't be acceptable
for a general purpose email server such as the need to move the fence. In my
case, I don't allow anything on the email server to be altered with a browser
interface. It is either ssh or nothing. Browsers get more compl
> Perhaps there are dovecot (and postfix submission) options to at least
> restrict access by IP?
Restricting by IP is soon going to become very tedious, especially if you are
dealing with more than a small number of users, and especially once post-COVID
travel comes back and people start con
> Client certs appears to be a good solution.
>
> What's the process for managing them with more than a hundred client accounts?
If you've got the budget ... MDM.
If you don't, you can probably hack together some sort of self-service system.
>
> I believe the problem they are trying to solve is
> I run a personal email server. I can't emphasize enough how geofencing has
> reduced the useless hacking on my email server. I only leave port 25 open to
> the world. I use port 587.
Unfortunately that's not an option for commercial mailservers. You have to be
open to communicate with the wor
Yeah the idea was to use roundcube or other web service to add kind of "auth
service" or "unlock service" where you can auth with 2FA to move the geofence
or permit additional IPs in geofence. For example, if you are travelling or
otherwise need to enable your account for a "outsider IP".
This
I have found that dynamic IP blocking programs such as sshguard or
fail2ban
are a CPU burden since that table needs to be refreshed as new IPs are
added
or removed so I have stopped using them.
Have you seen ipset?
https://ipset.netfilter.org/
It is built for dynamically adding/remove IP's fr
I run a personal email server. I can't emphasize enough how geofencing has
reduced the useless hacking on my email server. I only leave port 25 open to
the world. I use port 587.
I maintain a list of hosting companies that I block from using my web server
since they are just going to scrape any
Quoting Benny Pedersen :
On 2021-07-15 16:49, Alex wrote:
What about something like what we used to do with pop-b4-smtp to at
least restrict by IP address?
no, pop was not handle million of users share one single nat ip,
weekforce cant handle that either, so allow_net cant do any better
The thing is, that people must stop expecting "being able to access mail
whenever you are" without extra steps.
Best solution is to offer a webmail with TOTP or SQRL or similiar secure auth
method.
Then have that webmail adds IP or country into trusted list, so if you want to
access IMAP mail
On 2021-07-15 16:49, Alex wrote:
What about something like what we used to do with pop-b4-smtp to at
least restrict by IP address?
no, pop was not handle million of users share one single nat ip,
weekforce cant handle that either, so allow_net cant do any better there
all i think is possibl
On 2021 Jul 15, at 08:52, Alex wrote:
> Client certs appears to be a good solution.
A solution, certainly. A GOOD solution? Not really.
> What's the process for managing them with more than a hundred client accounts?
And that's the first issue.
The second issue is "my primary device is not ava
Problem is that not many client support it - especially mobile ones.So
wireguard VPN is the way to go, much simpler for the users.
Originalmeddelande Från: Rick Romero
Datum: 2021-07-15 17:04 (GMT+01:00) Till: dovecot@dovecot.org Ämne: Re: Sv:
2FA/MFA with IMAP & postfix/subm
On 2021-07-15 8:07 a.m., Laura Smith wrote:
Perhaps there are dovecot (and postfix submission) options to at least restrict
access by IP?
Restricting by IP is soon going to become very tedious, especially if you are
dealing with more than a small number of users, and especially once post-CO
On 2021-07-15 7:54 a.m., Laura Smith wrote:
Are there multi-factor options available?
Mandating good old-fashioned client-certificates is most likely your best bet
in terms of delivering the best user-experience.
Or, you can use the CLIENT_ID SMTP extension for dovecot/postfix.. For
the
Quoting Alex :
Hi,
Unfortunately the best way to do multifactor authentication today
is to use OAUTH2, which isn't currently supported for own
installations. Or you can use client certs.
If you want to use some kind of MFA with tokens, you end up having
to feed your token all the time.
> Are there multi-factor options available?
Mandating good old-fashioned client-certificates is most likely your best bet
in terms of delivering the best user-experience.
Hi,
> Unfortunately the best way to do multifactor authentication today is to use
> OAUTH2, which isn't currently supported for own installations. Or you can use
> client certs.
>
> If you want to use some kind of MFA with tokens, you end up having to feed
> your token all the time. So the best
Hi,
> > Unfortunately the best way to do multifactor authentication today is
> > to use OAUTH2, which isn't currently supported for own installations.
> > Or you can use client certs.
> >
> > If you want to use some kind of MFA with tokens, you end up having to
> > feed your token all the time. So
https://testssl.sh/
Aki
> On 15/07/2021 16:51 Stefan Schumacher wrote:
>
>
> Hi Aki,
>
>
> Where do I get testssh.sl? If the script is of your design could you mail it
> to me?
>
>
> Yours
> Stefan
>
> --
> Von: Aki Tuomi
> Gesendet: Mittwoch, 14. Juli 2021
Hi Aki,
Where do I get testssh.sl? If the script is of your design could you mail it to
me?
Yours
Stefan
Von: Aki Tuomi
Gesendet: Mittwoch, 14. Juli 2021 19:34
An: Stefan Schumacher ; dovecot@dovecot.org
Betreff: Re: TLS Security
> On 14/07/2021 17:55 Stefan
Hi Justina,
Kali tools is of course extremly unprecise. Excuse me, I had a long stressful
day and wanted to get this out before the end of the Day. Kali is a rolling
release, which I update regularly. By Kali Tools I of course meant the
Greenbone Community Edition, of which the former and more
Hi Justina,
Kali tools is of course extremly unprecise. Excuse me, I had a long stressful
day and wanted to get this out before the end of the Day. Kali is a rolling
release and I keep it up to date by upgrading every few days. I also update the
feeds. What I actually use for security scans is
On 2021-07-15 07:26, Aki Tuomi wrote:
Unfortunately the best way to do multifactor authentication today is
to use OAUTH2, which isn't currently supported for own installations.
Or you can use client certs.
If you want to use some kind of MFA with tokens, you end up having to
feed your token all
> Do you have any examples of such a function and how/where it is used ?
>I have a better idea:
>Have a function for whitelisting IPs, possible /24's or similiar, where a
> login to roundcube or other webmail client (with 2FA) will add the IP onto a
> whitelist for that account.
For s
On 15/07/2021 12:05, White, Daniel E. (GSFC-770.0)[NICS] wrote:
The custom login script -- in Dovecot or Roundcube or … ?
Is there any documentation for such scripting ?
https://doc.dovecot.org/configuration_manual/authentication/auth_policy/
It uses an http interface so it is easy to impleme
The custom login script -- in Dovecot or Roundcube or … ?
Is there any documentation for such scripting ?
-Original Message-
From: dovecot on behalf of Sebastian
Reply-To: Dovecot Mailing List
Date: Thursday, July 15, 2021 at 06:56
To: 'Mailing List'
Subject: [EXTERNAL] Sv: function
Most such functions would need to be custom.
You need to write a custom login script, which also accepts the user's IP as
input to a function, which then checks if password is right.
And then it returns that password is invalid if IP isn't approved.
Then you just need to write some custom functio
Sebastian,
Do you have any examples of such a function and how/where it is used ?
-Original Message-
From: dovecot on behalf of Sebastian
Reply-To: Dovecot Mailing List
Date: Thursday, July 15, 2021 at 01:19
To: 'Mailing List'
Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/subm
>
>
> I'm trying to get some more confidence as to whether replication is
> actually working properly and whether I'm not missing anything that will
> burn me if I ever have to 'fallback'. Has anyone ever done some
> verification outside of simply watching doveadm replication stats, to see
> if the
I've found a few mailboxes on my system that were being replicated where
the mailboxes are not in sync.
On server 1 I see:
dovecot1:/# doveadm fetch -u s000 "size.physical size.virtual"
mailbox-guid c92f64f79f0d1ed01e6d5b314f04886c uid 115
size.physical: 1815
size.virtual: 1843
On server 2 I
33 matches
Mail list logo
