IMAP MFA with nethserver8

Support
,
1

NethServer Version: 8
Module: mail sogo

My users are connecting via imap. I would like some form of IDP MFA authentication to happen to protect if an account is compromised.

I need something simpel.

Do anyone have any suggestions?

2

Let’s ask @stephdl if he tried something on this side :crossed_fingers:

1 Like
3

I understand what you need. IMAP with MFA protection. Something simple.

Bad news first:

There’s no truly simple solution. IMAP doesn’t natively support MFA. It’s username + password. That’s the protocol.

Your realistic options:

OAuth2 with an external IDP (Keycloak, Authentik, Azure AD)

  • The IDP handles MFA (TOTP, SMS, push)
  • Dovecot validates OAuth tokens instead of passwords
  • Requires modern mail clients (Thunderbird 78+, mobile apps support it)
  • Setup is complex. Not simple.

Network-level protection

  • Force VPN access with MFA before reaching IMAP
  • Users authenticate to VPN first. Then access mail normally.
  • Adds friction for users.

App-specific passwords

  • Generate unique passwords per device/app
  • Revoke individually if compromised
  • Not real MFA. But better than one password everywhere.

Rate limiting + monitoring

  • crowdsec, firewall rules, geo-blocking
  • Won’t stop a leaked password. Only slows brute force.

My honest take:

I’ve worked on ns8-mail (NethServer’s mail module). I haven’t implemented OAuth2 for it. It’s possible. But it’s not “turn on MFA” simple.

If you want real MFA protection, OAuth2 is the standard path. Setup takes work though.

What’s your environment? How many users? What mail clients do they use? That helps me give you a more specific recommendation.

3 Likes
4

some metrics of crowdsec

±---------------------------------------------------------+
| Local API Decisions |
±-----------------------------±---------±-------±------+
| Reason | Origin | Action | Count |
±-----------------------------±---------±-------±------+
| ssh:bruteforce | CAPI | ban | 6451 |
| crowdsecurity/postscreen-rbl | crowdsec | ban | 1 |
| crowdsecurity/ssh-slow-bf | crowdsec | ban | 3 |
| generic:scan | CAPI | ban | 123 |
| http:bruteforce | CAPI | ban | 732 |
| http:scan | CAPI | ban | 24343 |
| pop3/imap:bruteforce | CAPI | ban | 556 |
| crowdsecurity/ssh-bf | crowdsec | ban | 15 |
| http:crawl | CAPI | ban | 42 |
| http:exploit | CAPI | ban | 342 |
| smtp:spam | CAPI | ban | 156 |
±-----------------------------±---------±-------±------+