MFA for NS8 Mail (IMAP, SMTP)

csteaderman · October 31, 2025, 6:37pm

I’m in need of an MFA solution for thick client (IMAP, SMTP) email access to our NS8 instance. Eventually, I would extend it to Roundcube and SOGo, but being web applications, I think those are more straightforward.

I have a freshly installed test NS8 install and would love to help move this effort forward by trying and testing on my test system. I have an LDAP connection to an external AD, but I would like to make sure that any solution will work any of the NS8 supported user authentication mechanisms. Any suggestions, guidance, would be greatly appreciated. I am not experienced any of the tools that I have found, so I will make a lot of mistakes and probably make suggestions that make no sense. I apologize in advance.

As I see it, IMAP and SMTP are difficult to MFA as they do not natively support any mechanism for client tokens that can be used for connection lifetime management. For good or bad, I believe that large providers (Google, Microsoft) have settled on OAuth2 for MFA solution. We use Thunderbird as our email client which has OAuth2 support (likely driven by the desire to support connections to Google/Microsoft).

My naive solution would be to install something like an Email OAuth2 Proxy (GitHub - simonrob/email-oauth2-proxy: An IMAP/POP/SMTP proxy that transparently adds OAuth 2.0 authentication for email clients that don’t support this method.) that listens on all the standard ports, interacts with the Mail client for authentication management and then forwards requests/data on to the native IMAP/SMTP services in NS8.

I have seen mention of Authentik, Keycloak, and other components that may be needed in order to implement a solution, but my inexperience doesn’t let me know how they fit in the control/data flow for a working solution.

Looking forward to the discussions.

LayLow · October 31, 2025, 7:50pm

Hi @csteaderman ,

maybe this is fair use case for the authentik initiative @mrmarkuz and @danb35 are working on?

Cheers!

stephdl · November 1, 2025, 6:52am

it is possible easily with a firewall

put nethsecurity in front of your ns8, use openvpn with otp, do not open imap and smtp on public services but as private services

install openvpn client on all clients and when you want to connect to smtp and imap you must have initiated a vpn instance protected by vpn

stephdl · November 1, 2025, 6:54am

other way less paranoid, install crowdsec and the bad guy trying to do brute force attempts will be banned

csteaderman · November 4, 2025, 3:30pm

it is possible easily with a firewall

Thanks for the suggestion. We do have a firewall and VPN (Wireguard), so I could force all thick client accesses to occur via VPN. I think that I will still pursue an MFA solution, if nothing more than to learn.

csteaderman · November 4, 2025, 3:36pm

On the positive side, I found this article (OAuth2 for dovecot and postfix? – Linux – The Next Generation) that seems to indicate that dovecot and postfix both support OAuth2 in recent releases. I think this means that installing and configuring an appropriate authentication service (Keycloak/Authentik/…) is all that would be necessary. @mrmarkuz Any thoughts?

On the negative side, later in the article it seems that they conclude that Thunderbird is still not able to access OAuth2 servers other than a few BIG players. Fingers crossed that will change sometime soon.

stephdl · November 4, 2025, 3:40pm

I think your only option is to handle it on the client side. As far as I know, it’s not possible to configure Postfix or Dovecot to use multi-factor authentication. Office 365 is moving in that direction, but I’m not sure about our setup — though, as always, I might be wrong!

hence roundcube or Sogo

csteaderman · November 4, 2025, 3:45pm

Did you see my previous post that seems to indicate that Postfix and Dovecot now support OAuth2?

stephdl · November 4, 2025, 3:47pm

no idea on how to implement….sorry

csteaderman · November 4, 2025, 3:51pm

Me neither . But I’m determined to learn.

Do you know how I can find out the versions of Postfix and Dovecot on my NS8 system?

stephdl · November 4, 2025, 4:59pm

check version relevant to alpine 3.21.3

ns8-mail/build-images.sh at 12899bcd7f074c75749b5f62b0bcafd623d9c988 · NethServer/ns8-mail · GitHub

csteaderman · November 4, 2025, 5:14pm

Another discussion regarding configuration of Dovecot and Postfix to support OAuth2.

XOAUTH2 implementation to Dovecot and Postfix · Mailu/Mailu · Discussion #3681 · GitHub

mrmarkuz · November 4, 2025, 5:15pm

To check alpine packages: Package index - Alpine Linux packages

Or get the versions from inside the container:

[root@ctb1 ~]# runagent -m mail1 podman exec postfix postconf mail_version
mail_version = 3.9.5
[root@ctb1 ~]# runagent -m mail1 podman exec dovecot dovecot --version
2.3.21.1 (d492236fa0)

csteaderman · November 4, 2025, 5:21pm

I get the same versions. So it looks like NS8 is already at adequate versions to enable OAuth2.

mrmarkuz · November 4, 2025, 7:54pm

Authentik seems to support Roundcube/Dovecot, see Integrate with Roundcube | authentik

Postfix could be configured to use Dovecot for authentication but seems to support oauth too.