[Users] Does anyone knows how to setup 2FA on Open source? We are also using Zextras.

Barry de Graaff info at barrydegraaff.tk
Wed Oct 25 20:03:38 CEST 2017 

Are more simplified (proprietary) solution would be disable pop/imap and then install Zextras Mobile (sorry commercial)
(or Zimbra Next Generation Modules if 8.8 rolls out)

Then you could use Active Sync from Zextras and their Client Zimlet to set a 
separate password for ActiveSync and have 2FA for the webclient with one
of phpsimplesaml.


Kind regards, 

Barry de Graaff
Zeta Alliance Founder
zetalliance.org | github.com/Zimbra-Community

+31 617 220 227
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

----- Original Message -----
From: "Ludo" <ludo at nomennesc.io>
To: users at lists.zetalliance.org
Sent: Wednesday, 25 October, 2017 19:56:57
Subject: Re: [Users] Does anyone knows how to setup 2FA on Open source? We are also using Zextras.

PrivacyId3a [1] is a platform for managing two-factor tokens that integrates very nicely with simplesamlphp, I have it running in production on a setup elsewhere aswell to have 2FA on Zimbra.
A major problem however is that this only tackles webmail. Other protocols like IMAP, activesync, SMTP, etc. will still accept login/password without second factor.
To somewhat overcome this problem, I have Zimbra configured to authenticate to an external LDAP, separate from the simplesaml/privacyid3a chain. On this LDAP users are allowed to generate multiple userPassword entries (userPassword is a multi-value attribute in OpenLDAP) to create specific passwords to use for configuring their mailclients. These are long random passphrases that users only configure once and then forget, making them not quite as susceptible to phishing. The alternative would be to disable all services except for webmail.

Kind regards,

Ludo


[1] https://www.privacyidea.org


On Wed, Oct 25, 2017 at 07:25:28PM +0200, Barry de Graaff wrote:
> funny, we use phpsimplesaml with pre-auth as well and do have some 2FA standing by, but have not rolled that one 
> out to prod in fear of support calls :-p 
> 
> Kind regards, 
> 
> Barry de Graaff 
> Zeta Alliance Founder 
> zetalliance.org | github.com/Zimbra-Community 
> 
> +31 617 220 227 
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 
> 
> 
> From: "Stefan Sänger" <stefan.saenger at gr13.net> 
> To: users at lists.zetalliance.org 
> Sent: Wednesday, 25 October, 2017 19:24:08 
> Subject: Re: [Users] Does anyone knows how to setup 2FA on Open source? We are also using Zextras. 
> 
> 
> 
> Hi All, 
> 
> well - I have been using simplesamlphp to actually perform 2FA - and yes, it also included preauth... If anybody is interested I can share the old code, since it was only a POC about 2 years ago... 
> 
> best regards, 
> 
> Stefan 
> 
> On 25.10.2017 19:21, Zeta Alliance Info wrote: 
> 
> 
> 
> Hi Dean, 
> 
> Not sure, some pre-authentication hacks come to mind, I will forward your request to the mailing list 
> you can subscribe to get the answers here: [ https://lists.zetalliance.org/mailman/listinfo/users_lists.zetalliance.org | https://lists.zetalliance.org/mailman/listinfo/users_lists.zetalliance.org ] 
> 
> Does anyone knows how to setup 2FA on Open source? We are also using Zextras. 
> 
> 
> 
> 
> From: [ mailto:deanw at hostedincanada.com | deanw at hostedincanada.com ] 
> To: [ mailto:info at zetalliance.org | info at zetalliance.org ] 
> Sent: Wednesday, 25 October, 2017 16:30:19 
> Subject: 2FA 
> 
> Morning Zeta Alliance, 
> 
> Just wondering if anyone knows how to setup 2FA on Open source? We are also using Zextra. 
> 
> Thanks! 
> 
> Dean Wolf C.C.P. 
> Director of Marketing 
> 
> 
> Ph: 403. 730.2040 (x207) 
> Toll free: 1-866.730.2040 
> 
> Need support now? [ http://support.hostedincanada.com/help/index.php | Click
>                             here ] ! 
> 
> 
> The information contained in this message is confidential. It is intended to be read only by the individual or entity named above or their designee. If the reader of this message is not the intended recipient, you are hereby notified that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete or destroy any copy of this message. 
> 
> 
> 
> 
>

More information about the Users mailing list