To add my 2cents by reading the code, in the case of SOGoTrustProxyAuthentication = YES; Sogo will check the presence of the header "x-webobjects-auth-type" : "Basic" If yes, it will use the Basic access authentication -> https://en.wikipedia.org/wiki/Basic_access_authentication to get the password.
I don't know how you make apache retrieve the password and put it in this header though... Quentin -----Original Message----- From: users-requ...@sogo.nu <users-requ...@sogo.nu> On Behalf Of Kees van Vloten Sent: jeudi 19 septembre 2024 15:47 To: users@sogo.nu Subject: Re: [SOGo] Force 2FA/TOTP for logins from outside the intranet? On 19-09-2024 15:16, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) wrote: > Am 19.09.24 um 15:11 schrieb Kees van Vloten (keesvanvlo...@gmail.com): >> >> On 19-09-2024 14:57, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) >> wrote: >>> Hi, >>> >>> we protect more and more services that can be reached from the >>> Internet by 2FA/TOTP. >>> Are there any ideas how to force 2FA/TOTP for SOGo when accessing >>> SOGo from the Internet (outside the intranet), but not from the >>> intranet?? >>> >>> Ideally then, SOGo would ask our privacyIDEA API (username, TOTP >>> code) to evaluate the TOTP code … >> >> I am doing exactly this by letting the webserver (Apache) handle the >> authentication (sogo.conf contains 'SOGoTrustProxyAuthentication = >> YES;' to trust apache authentication). >> >> Apache is configured to do OIDC authentication, against Keycloak. >> Keycloak then checks the client-ip to determine how to authenticate. >> If the IP is not in the internal ip-range it will request MFA and use >> Privacyidea as its backend, otherwise user/password is sufficient or >> a Kerberos ticket. > Nice, how do you authenticate to the IMAP server? I don't. The user is already authenticated by Apache when it accesses Sogo. Sogo gets the username passed from Apache and it will use it when connecting to imap (so the user is known at that point). There is no added security value in doing another, behind the scenes, authentication between Sogo and imap on behalf of the user. So I have setup imap (Dovecot) to accept requests on localhost without password, the username is sufficient. In my case Sogo and Dovecot run on the same server, but it is easy enough to use a SSL-tunnel with client-cert authentication between 2 machines to forward imap requests from Sogo localhost to Dovecot localhost to create a secure path from Sogo to imap. The setup is required for smtp/submission as well. I use the dovecot-submission proxy for it, so authentication for imap and smtp/submission always uses the same (Dovecot) configuration. That prevents authentication mismatches between imap and smtp/submission. - Kees. > > Frank >
