On 19-09-2024 15:56, qhivert (qhiv...@alinto.eu) wrote:
To add my 2cents by reading the code, in the case of
SOGoTrustProxyAuthentication = YES; Sogo will check the presence of the header
"x-webobjects-auth-type" : "Basic"
If yes, it will use the Basic access authentication ->
https://en.wikipedia.org/wiki/Basic_access_authentication to get the password.
I don't know how you make apache retrieve the password and put it in this
header though...
I would not know how to do that either, but Sogo **will** get the
username from Apache. Since Apache has done the authentication and the
user has passed it, we trust the user. Another check that the user can
pass authentication will render the same result, hence it has no added
value.
So if the imap-server and the smtp-server trust sogo + apache (because
there is a secure connection between imap/smtp and sogo) you have all
you need. There is really no added value in imap/smtp doing another
password check, so requests from sogo can be accepted by username only,
like this (in the Dovecot config):
passdb {
# Sogo has no password due to login via apache, i.e. allow based on
username only
args = nopassword=y allow_nets=127.0.0.1/32
driver = static
}
A trusted / secure connection is essential in this case, that can be
achieved by connecting localhost:143 on the sogo-server to localhost:143
on the imap-server with an ssl-tunnel using client-cert authentication
(the sogo-server is the client of the tunnel). Or by running Dovecot and
Sogo on the same machine, simple but not suitable for larger environments.
- Kees.
Quentin
-----Original Message-----
From: users-requ...@sogo.nu <users-requ...@sogo.nu> On Behalf Of Kees van Vloten
Sent: jeudi 19 septembre 2024 15:47
To: users@sogo.nu
Subject: Re: [SOGo] Force 2FA/TOTP for logins from outside the intranet?
On 19-09-2024 15:16, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) wrote:
Am 19.09.24 um 15:11 schrieb Kees van Vloten (keesvanvlo...@gmail.com):
On 19-09-2024 14:57, Frank Richter (frank.rich...@hrz.tu-chemnitz.de)
wrote:
Hi,
we protect more and more services that can be reached from the
Internet by 2FA/TOTP.
Are there any ideas how to force 2FA/TOTP for SOGo when accessing
SOGo from the Internet (outside the intranet), but not from the
intranet??
Ideally then, SOGo would ask our privacyIDEA API (username, TOTP
code) to evaluate the TOTP code …
I am doing exactly this by letting the webserver (Apache) handle the
authentication (sogo.conf contains 'SOGoTrustProxyAuthentication =
YES;' to trust apache authentication).
Apache is configured to do OIDC authentication, against Keycloak.
Keycloak then checks the client-ip to determine how to authenticate.
If the IP is not in the internal ip-range it will request MFA and use
Privacyidea as its backend, otherwise user/password is sufficient or
a Kerberos ticket.
Nice, how do you authenticate to the IMAP server?
I don't.
The user is already authenticated by Apache when it accesses Sogo. Sogo gets
the username passed from Apache and it will use it when connecting to imap (so
the user is known at that point). There is no added security value in doing
another, behind the scenes, authentication between Sogo and imap on behalf of
the user.
So I have setup imap (Dovecot) to accept requests on localhost without
password, the username is sufficient. In my case Sogo and Dovecot run on the
same server, but it is easy enough to use a SSL-tunnel with client-cert
authentication between 2 machines to forward imap requests from Sogo localhost
to Dovecot localhost to create a secure path from Sogo to imap.
The setup is required for smtp/submission as well. I use the dovecot-submission
proxy for it, so authentication for imap and smtp/submission always uses the
same (Dovecot) configuration. That prevents authentication mismatches between
imap and smtp/submission.
- Kees.
Frank
