Request: Lock mailserver admin to IP address
Is it possible to only allow login to the control panel for the mailserver administrator account from selected IP addresses?
Also, I cant see anywhere if there are protectors for brute force hacking of accounts on the control panel?
Comments (8)
-
repo owner -
reporter Thank you for
#441Re: #438 - The mailserver we are migrating from had thousands of hacking attempts daily, and whitelisting static IP addresses from our office and home(s) etc. provides another line of defence to counter these persistent attempts to gain access.
An implementation such as the SMTP whitelisting (/admin/blacklist) would be great!
So get voting for this people! +1
-
reporter SH if you are not keen on IP blocking, how about this Instead - For server administrator account what about 2FA such as YubiKey?
Apparently its a 20 minute task to add it - https://www.yubico.com/why-yubico/for-business/systems/systems-integration/two-factor-authentication-online-services/
We use this for other services like Dashlane and it really works well. It provides a second security tier of authenticating using a physical key (low cost).
-
I would prefer a 2FA solution like Google Authenticator - it's easy to implement as well and does not require to buy hardware.
-
reporter Some of us do not trust Google :) It also requires a mobile device (and phone signal... still an issue for some of us).
Also, if you dont use a smartphone (like me!) SMS service is not secure.
-
It's an open source project, Yubico is not, so I don't see why I should trust Yubico and not the google authenticator algorithm. Plus, you don't need to install the authenticator app from google, there are alternatives. Furthermore, with the google authenticator algorithm, there's no need to connect to a service or server to make it work, with Yubico you need to connect to their cloud - and that's something really bad.
poste.io is a project made of open source software and it should stay this way!
-
reporter Yubico also has TOTP support, the link was simply to their hosted services. If it is a question of trust, Google themselves require their staff to use Yubikeys to meet security requirements. It is also supported by Microsoft and Linux for AD and local system logins.
-
SB, if you want to increase the security for your users there is a plugin for RoundCube that will let them enable MFA with WebAuthn (FIDO2).
https://github.com/bartnv/twofactor_webauthn
Ideally the same kind of MFA would be awesome to have for the admin page as well. Regarding open source etc I fully agree that this project should be based on non commercial implementation.
FIDO2 is an open authentication standard, hosted by the FIDO Alliance.
For more information ,see:
https://fidoalliance.org/developers/
https://codelabs.developers.google.com/codelabs/webauthn-reauth/#0
https://developers.yubico.com/WebAuthn/
https://webauthn.io/
- Log in to comment
If there will be enough user interest I will implement some kind of User-IP binding though I am not fan of any IP filtering.
(also there is no brute force prevention at administration, I've opened
#441)