[PLUG] Add gmail like security enhancements to rainloop?
Daniel Hedlund
daniel at digitree.org
Tue Feb 12 07:26:54 UTC 2019
On Mon, Feb 11, 2019 at 8:34 PM Michael Christopher Robinson <
michael at robinson-west.com> wrote:
> Third, how do I modify rainloop to ask which of three plausible numbers
> the secret number is? Is there a better way to toughen up security?
I don't know of any sites/tools that let you easily build out your own auth
system. You could do it yourself by modifying the app source code itself,
yes, but you be better off not, because ...
How secret is a text to my smartphone? Are SMS messages interceptable?
If so, how do I secure them so that the secret isn't public knowledge?
>
You should avoid using SMS for two-factor authentication if other methods
are available (
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html). For
most use cases, it is still a better option than no 2FA, when the 2FA
method can't be used to along with other methods to reset the password,
such as easily researchable security questions.
Basically, I want to text my smartphone from my CentOS 7 server when I
> try to log in to rainloop a secret number and require that number to
> complete logging in.
>
Rainloop appears to support two-factor authentication out of the box, but
may not be visible in the UI without turning it on in the admin section
somewhere; I've never used rainloop before and their documentation is
minimal, but source code suggests that you might have to enable a
two-factor auth capability. The only provider they appear to support is
Google Authenticator (OATH TOTP), but that sounds like it would meet your
needs. Other forms of 2FA, such as FIDO U2F (YubiKey) have been requested
for years but no work has been made toward this yet (
https://github.com/RainLoop/rainloop-webmail/issues/798). There are also
open issues around not supporting 2FA for admin accounts (
https://github.com/RainLoop/rainloop-webmail/issues/755) and the ability to
bypass 2FA (https://github.com/RainLoop/rainloop-webmail/issues/1469). It
actually appears that rainloop has received very few commits over the last
year, so it no longer appears to be actively developed outside of small
dependency and life-support updates.
I'm dealing with bots I think dictionary attacking my rainloop server
> so they can log on and spam people.
If you're worried about someone remotely guessing a password with a
dictionary attack then you may want to just generate a password with a
higher entropy, maybe use a password manager. If you want to reduce the
number of login attempts per bot, rainloop has support for integrating with
fail2ban (https://github.com/RainLoop/rainloop-webmail/issues/1580). It
also has support for embedding recaptcha during login, but there appears to
be a conflict with enabling that along with 2FA due to the login process
taking too long and sometimes timing out (issues 1602 and 1739). If you're
worried that your SSL/TLS is insecure, or are not using it at all, enabling
2FA will not help if that same password is used for SMTP/IMAP/POP3 logins.
Same problem if any of those are not encrypted; you'd want to secure those
down first. I am also no aware of SMTP or JMAP/IMAP/POP3 supporting 2FA,
so if you leave any of those services open and they are set to use the same
password as webmail, you may not get much of a benefit from only enabling
2FA in rainloop.
More information about the PLUG
mailing list