1 (edited by slovenka 2022-05-18 13:30:13)

Topic: Multiple passwords / add app password token for SMTP, IMAP and POP3

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello Zhang and everybody : )
Here is a feature that would be very interesting for us and probably many people. Multiple passwords or app passwords (as Nextcloud has it). It would provide better overview over connected clients (devices) and management over them. Also better security as we would be able to have 1 password per connected client and would be able to disconnect specific ones.
Our case scenario is this: We set up 1 password per device (desktop, mobile, server apps) and tag them so we know which device has the password (App password name in Nextcloud).
Then we can setup 2FA for the web apps and users can have their normal passwords (because we will generate 32-64 character passwords for devices and copy-paste when creating accounts).

So this would allow us to setup 2FA for web access(because users tend to use weak passwords) and still use strong passwords for the devices.

Now I know that it's not really that easy to implement this, because of different backends, so maybe put in in TODO.
And I don't know if I put it in the right part of the forum, would this only be a feature of iRedAdmin-Pro or iRedMail general? I think that because this would have to be done in the backend core, the most changes would be in iRedMail.

Similar was already requested here:
https://forum.iredmail.org/topic15545-l … words.html

Can maybe you guys reading this and would want this implemented write if this is interesting idea or would we do this some other way? Thank you guys!

Thank you very much Zhang for everything!
Tomaž

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team.

2

Re: Multiple passwords / add app password token for SMTP, IMAP and POP3

slovenka wrote:

Our case scenario is this: We set up 1 password per device (desktop, mobile, server apps) and tag them so we know which device has the password (App password name in Nextcloud).

Curious, why one password per device?

Currently iRedAdmin-Pro supports storing SAME password in different password schemes, e.g. BCRYPT and SSHA512, but you want different passwords, so iRedAdmin-Pro doesn't support it right now.

Technically it's possible to store multiple different passwords, but it's really depends on how you're going to store them and use them.

3

Re: Multiple passwords / add app password token for SMTP, IMAP and POP3

Hello Zhang,

I think app/multiple-passwords would make a lot of sense. Google just announced that it will enforce 2FA for youtube contributors, and add 2FA to 150 million google accounts. There is a lot of critique on 1FA authentication, because most people have weak passwords, and regular password changes lead to poor passwords (users only add another number, etc).

While OAuth2 would be the better choice (limit access to certain functionality based on the token), many email clients are not capable of OAuth2 for all protocols (e.g. caldav, carddav in Thunderbird only works for google). Also looking at SOGo, OAuth2 is not possible for caldav/carddav (I think SOGo can do SAML2, but then you would need a Oauth2<>SAML2 broker). So both client, and server are not ready today, but phishing attacks are on the rise.

Use-case with App-passwords:
1) user has a known password which is used for Roundcube, SOGo webinterface. Together with 2FA (managed by roundcube-2FA-plugin, and SOGo >=5.x), this makes login more secure.
2) the app password is saved in email clients/desktop (e.g. keyring/Thunderbird) for IMAP, SMTP, caldav/carddav. Often these app-passwords can be password protected (e.g. password for keyring of user). As the app-password is not directly handled by the user, it is better protected from phishing attacks, and other vulnerabilities. (most users won't even know that they have a second password)

I tried to find out whether this would be possible with openLDAP:
1) userPasswords can have multiple values. that is great.
2) however, a user-induced password change should not change the app-password. There are password policy overlays in openLDAP, but I'm not sure if such a policy can only the applied to one of the passwords (e.g. create a policy to prevent a password change for the app-password. I found this here: https://tobru.ch/openldap-password-policy-overlay/
3) thirdly, most importantly, iRedmail/openLDAP would need to decide whether the user-password/app-password is accepted. E.g. authentication from localhost/specific IP (using roundcube/sogo webinterface) allows user-password (as 2FA will be enabled in roundcube/SOGo). But this user password is refused when used from other source-IP. From any other source-IP, the app-password is required (e.g. for email-clients).

Another alternative would be to have 2 users (linked to one person): one user for the user-password, the other user for the app-password. Maybe this is easier, not sure regarding linking both users/1 person to their mailbox/caldav/carddav.

I did quite some research to find a openLDAP/Keycloak based groupware which has 2FA and/or app-passwords, and works with email clients like Thunderbird. There is virtually nothing. As soon as 2FA is enabled, email clients stop working, or calendar stops working, etc.

4

Re: Multiple passwords / add app password token for SMTP, IMAP and POP3

ZhangHuangbin wrote:
slovenka wrote:

Our case scenario is this: We set up 1 password per device (desktop, mobile, server apps) and tag them so we know which device has the password (App password name in Nextcloud).

Curious, why one password per device?

Currently iRedAdmin-Pro supports storing SAME password in different password schemes, e.g. BCRYPT and SSHA512, but you want different passwords, so iRedAdmin-Pro doesn't support it right now.

Technically it's possible to store multiple different passwords, but it's really depends on how you're going to store them and use them.

Why one password per device? In my view that is how app passwords work, so you have one password per client device and you can revoke specific device if compromised.

it-3414 wrote:

...

We tried with OpenLDAP backend and are stuck at one point. We managed to figure out that Postfix and Dovecot use same authentication backend, which is Dovecots passdb authentication. Then we took the user authentication from Mysql backend and combined it with OpenLDAP backend, therefore we get 2 passwords, one from LDAP and one from MySQL. We are stuck on the point where we want to allow token/app password authentication only through SMTP, IMAP, POP3 and normal password only through web (SOGo, Roundcube) and only if 2FA is enabled (for which we added "enabledService: 2fa" and set LDAP filters).
For now we have a custom script that adds token/app passwords and enables 2FA, but maybe it can be implemented into iRedAdmin-Pro if there is interest from users.

Tried many things, but we are stuck with Postfix, as we don't have deep knowledge about the user authentication configuration in combination with LDAP filters.

Would you be willing to help with getting this figured out and implemented?

Thank you!

5

Re: Multiple passwords / add app password token for SMTP, IMAP and POP3

Hi slovenka,

slovenka wrote:

Would you be willing to help with getting this figured out and implemented?

if you mean me, yes, but my resources (an knowledge of postfix, etc) are quite limited, so not sure I could be of a lot of help. We have a Pro license, so our hope would be that eventually this license will help get this feature implemented.

We plan to try out user federation with keycloak, so we can authenticate other services without the need to give access to our OpenLDAP server. Not sure if that would be a solution. SOGo will not support it (or would it, via SAML2 broker?). We also use 2 plugins in Roundcube (carddav, and caldav), and I think caldav does not support OAuth. Here even with user-federation we still not have a working solution for calendars in roundcube.


I think there definitely needs to be done something to make authentication to iRedmail, and its frontends more secure. 2FA for the iredmail admin interface is maybe relatively simple to implement? Not sure. For web-based 2FA in combination with access from all kinds of external (mail) clients, it seems app-passwords might be the most straightforward solution?

6

Re: Multiple passwords / add app password token for SMTP, IMAP and POP3

it-3414 wrote:

Hi slovenka,

slovenka wrote:

Would you be willing to help with getting this figured out and implemented?

if you mean me, yes, but my resources (an knowledge of postfix, etc) are quite limited, so not sure I could be of a lot of help. We have a Pro license, so our hope would be that eventually this license will help get this feature implemented.

We plan to try out user federation with keycloak, so we can authenticate other services without the need to give access to our OpenLDAP server. Not sure if that would be a solution. SOGo will not support it (or would it, via SAML2 broker?). We also use 2 plugins in Roundcube (carddav, and caldav), and I think caldav does not support OAuth. Here even with user-federation we still not have a working solution for calendars in roundcube.


I think there definitely needs to be done something to make authentication to iRedmail, and its frontends more secure. 2FA for the iredmail admin interface is maybe relatively simple to implement? Not sure. For web-based 2FA in combination with access from all kinds of external (mail) clients, it seems app-passwords might be the most straightforward solution?

Hello, we also are working with Keycloak, but did not implement authentication for mail services, it seems quite a process. We are using it for SSO to OIDC supporting web applications.
I tried to implement the app-password-token, got stuck with Postfix, but got it somehow working with Dovecot. So we need to figure out the Postfix part. I can share the document (even if not completely working). The developer of iRedMail turned down a request to develop the token functionality, so I think we are on our own. We are prepared to fund the development at least in some part. We would need to hire an expert on Postfix. If you are interested to help in any way (funding, researching, ...), contact me at slovenka [at] tuta [dot] io. Thank you!

7

Re: Multiple passwords / add app password token for SMTP, IMAP and POP3

Honestly I am shocked how nobody is interested in enhanced security for services that cannot use 2FA natively. Services like SMTP, IMAP and POP3 are the only ones (for us at least), that should be secured by a strong password ("app" token in this case), so they will still provide high level of security for a few years down the road (and for "old" clients). Things are already changing with different authorization protocols like OAuth2, but in the meanwhile we still need something to secure current situation.

Is there really nobody interested in this enhanced security - app token password - for SMTP, IMAP and POP3?
Or should we do this differently? Should we implement OAuth2 immediately instead?

Thank you!