Re: Trivial Pigeonhole patch: allow X-Original-From header for address tests

[Aki Tuomi]

> On 23/06/2022 07:14 EEST Rob Foehl  wrote:
> 
>  
> Motivated by more DMARC silliness, naturally.
> 
> -Rob

Hi Rob!

Any chance you could open this as pull request to 
https://github.com/dovecot/pigeonhole?

Aki

Re: Is multi factor authentication practical/feasible?

[John Gateley]

Disclaimer: I work for Auth0 (now Okta)

On 7/3/22 9:40 AM, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:


It seems any kind of dual auth will need a security app running on 
YOUR server saving toikens, logins etc etc


Not necessarily. With Auth0, the IDP runs on Auth0's server.
You are responsible for storing ID tokens, access tokens, and refresh 
tokens in your app.
There are ways of doing this fairly securely, even with desktop apps or 
mobile

devices, where you don't have a secure backend.



this is what lead to microsoft, gmail etc having their own api which 
will only work for them


If I understand this correctly, Google et al provide an MFA API for apps 
that want to handle
auth themselves, instead of going the OIDC/OAuth2/SAML route. They also 
provide standards

based protocols, like OIDC.

That's what I was hinting at above - adopting OIDC makes things easier 
than trying to bolt

on security (via some MFA API).



this is also (mainly because of https authing the device) what makes 
it hard to proxy oauth2 etc


This is definitely a pain point. You can either open up a browser from 
the device, or on constrained
devices, use device flow (display a URL, user visits that URL on their 
laptop, device grabs confirmation
from the IDP that they did). Neither one is completely elegant, but 
opening a browser on a mobile

device is far less intrusive than you might think.



5.7. Authenticating using C.A.S.
...

basically the reality is every server will have it's own token base 
etc thus preventing any kind of a standard.


I'm not familiar with C.A.S. I don't have any clients that I know of 
using it, so I can't comment on it.

But the JWT token spec is now common, and is a standard. Also the SAML spec.
I see more OIDC, but also a lot of SAML.

Happy IAM Sunday to you too!

j

Re: Is multi factor authentication practical/feasible?

[Paul Kudla (SCOM.CA Internet Services Inc.)]

Please note this is my opinion only

It seems any kind of dual auth will need a security app running on YOUR 
server saving toikens, logins etc etc


this is what lead to microsoft, gmail etc having their own api which 
will only work for them


this is also (mainly because of https authing the device) what makes it 
hard to proxy oauth2 etc


If you look at sogo's documentation they have a java server applet

Still working on the install to make work with my system but in general 
you need your own whatever app to track oauth2




5.7. Authenticating using C.A.S.
SOGo natively supports C.A.S. authentication. For activating C.A.S. 
authentication you need first
to make sure that the SOGoAuthenticationType setting is set to cas, 
SOGoXSRFValidationEnabled is
set to NO and that the SOGoCASServiceURL setting is configured 
appropriately.


I myself will eventually get around to implimenting this on one of my 
servers ?


logically i will have to track tokens etc via https like google etc

basically the reality is every server will have it's own token base etc 
thus preventing any kind of a standard.



Happy Sunday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/3/2022 9:50 AM, John Gateley wrote:




On 7/3/22 8:31 AM, John Gateley wrote:
The protocols were designed long before SAML and OIDC. SAML/OIDC give 
you more control over authn/z
and allow easily adding in MFA or other different types of auth. To do 
this right, you'd need to extend

the protocol to allow OIDC or SAML.


I did find this RFC - I haven't read it, but it applies directly:
https://datatracker.ietf.org/doc/html/rfc7628

j

Re: Is multi factor authentication practical/feasible?

[John Gateley]

On 7/3/22 8:31 AM, John Gateley wrote:
The protocols were designed long before SAML and OIDC. SAML/OIDC give 
you more control over authn/z
and allow easily adding in MFA or other different types of auth. To do 
this right, you'd need to extend

the protocol to allow OIDC or SAML.


I did find this RFC - I haven't read it, but it applies directly:
https://datatracker.ietf.org/doc/html/rfc7628

j

Re: Is multi factor authentication practical/feasible?

[John Gateley]

On 7/1/22 1:02 PM, Jochen Bern wrote:

On 27.06.22 00:52, Steve Dondley wrote:
I have a small client whose insurance company insists they have MFA 
for their email to be covered under some kind of data protection policy.
*Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH), 
POP, and IMAP protocol definitions do not provide elbow room to make 
*two* rounds of authentication.


What Jochen said.

The protocols were designed long before SAML and OIDC. SAML/OIDC give 
you more control over authn/z
and allow easily adding in MFA or other different types of auth. To do 
this right, you'd need to extend

the protocol to allow OIDC or SAML.

As some have noted, you can shoehorn it in. But I would not recommend 
doing that. Adding security

as a bolt-on ad hoc usually has holes.

But if you really wanted to do this, I'd suggest something like:

 * Extend dovecot to use an OIDC access token instead of a
   username/password.
 * Set up an IDP with your connection, defining credentials as well as
   MFA info
 * Set up the IDP with an API - this is the API for generating the
   access token used by dovecot
 * Extend Thunderbird or your mail app to use the IDP to get the access
   token, then use that to connect to Dovecot.

So this sounds kind of cool to me. If you want a little help setting it 
up with Auth0, ping me off list.



John

Re: Is multi factor authentication practical/feasible?

[Sam Kuper]

On Sat, Jul 02, 2022 at 07:32:21AM -0800, justina colmena ~biz wrote:
> Guns are banned and there's a night guard with a Big Mag flashlight or
> a billy club walking the beat around the bank, kicking a homeless man
> who fell asleep on the sidewalk to tell him wake up or your pocket's
> going be picked clean by morning, because you've got too much money in
> your name for your own good anyways, if you've got any teeth left in
> your mouth or can afford the dentist's bill for that.

Please stick to the topic, which is about how to implement MFA with
Dovecot.