Request: Lock mailserver admin to IP address

Comments (8)

1. 

   SH repo owner

   If there will be enough user interest I will implement some kind of User-IP binding though I am not fan of any IP filtering.

   (also there is no brute force prevention at administration, I've opened #441)

   • 2018-09-18T07:28:06+00:00
2. 

   SB reporter

   Thank you for #441

   Re: #438 - The mailserver we are migrating from had thousands of hacking attempts daily, and whitelisting static IP addresses from our office and home(s) etc. provides another line of defence to counter these persistent attempts to gain access.

   An implementation such as the SMTP whitelisting (/admin/blacklist) would be great!

   So get voting for this people! +1

   • 2018-09-18T09:54:24+00:00
3. 

   SB reporter

   SH if you are not keen on IP blocking, how about this Instead - For server administrator account what about 2FA such as YubiKey?

   Apparently its a 20 minute task to add it - https://www.yubico.com/why-yubico/for-business/systems/systems-integration/two-factor-authentication-online-services/

   We use this for other services like Dashlane and it really works well. It provides a second security tier of authenticating using a physical key (low cost).

   • 2018-11-13T17:00:22+00:00
4. 

   Alexander

   I would prefer a 2FA solution like Google Authenticator - it's easy to implement as well and does not require to buy hardware.

   • 2018-11-13T17:04:43+00:00
5. 

   SB reporter

   Some of us do not trust Google :) It also requires a mobile device (and phone signal... still an issue for some of us).

   Also, if you dont use a smartphone (like me!) SMS service is not secure.

   • 2018-11-13T17:06:17+00:00
6. 

   Alexander

   It's an open source project, Yubico is not, so I don't see why I should trust Yubico and not the google authenticator algorithm. Plus, you don't need to install the authenticator app from google, there are alternatives. Furthermore, with the google authenticator algorithm, there's no need to connect to a service or server to make it work, with Yubico you need to connect to their cloud - and that's something really bad.

   poste.io is a project made of open source software and it should stay this way!

   • 2018-11-13T17:13:38+00:00
7. 

   SB reporter

   Yubico also has TOTP support, the link was simply to their hosted services. If it is a question of trust, Google themselves require their staff to use Yubikeys to meet security requirements. It is also supported by Microsoft and Linux for AD and local system logins.

   • 2018-11-13T23:08:33+00:00
8. 

   Henrik Tilly

   SB, if you want to increase the security for your users there is a plugin for RoundCube that will let them enable MFA with WebAuthn (FIDO2).

   https://github.com/bartnv/twofactor_webauthn

   Ideally the same kind of MFA would be awesome to have for the admin page as well. Regarding open source etc I fully agree that this project should be based on non commercial implementation.

   FIDO2 is an open authentication standard, hosted by the FIDO Alliance.

   For more information ,see:

   https://fidoalliance.org/developers/
   https://codelabs.developers.google.com/codelabs/webauthn-reauth/#0
   https://developers.yubico.com/WebAuthn/
   https://webauthn.io/

   ‌

   • 2020-09-04T13:49:01+00:00
9. Log in to comment