Welcome to the mailbox.org user forum!
2FA for Business
Proposed
HI,
it looks like mailbox.org does not support 2FA / MFA for business. At least there are no options in setup.mailbox.org or in the user mailbox settings.
If that's true, when will this be available? It's pretty much a deciding factor for me.
In that regard, it would also be quite relevant to support app specific passwords for caldav/carddav/imap clients.
Thanks, Marco
I like this idea 
No connection
Real-time notifications may not work
Thank you very much for your inquiry. The integration of 2FA for our private customers has been an integral part of our services for several years.
Since additional security is equally vital for our business customers, we are going a step further and would like to make use of the latest technologies and additional layers of security in the near future.
Your mailbox.org team
We are already working on this feature. Unfortunately I can't give you a fixed date for the implementation as of right now.
Thank you very much for your inquiry. The integration of 2FA for our private customers has been an integral part of our services for several years.
Since additional security is equally vital for our business customers, we are going a step further and would like to make use of the latest technologies and additional layers of security in the near future.
Your mailbox.org team
We are already working on this feature. Unfortunately I can't give you a fixed date for the implementation as of right now.
Related discussions at:
https://userforum-en.mailbox.org/topic/1427-2fa-with-lemonldap-ng-or-keycloak
https://userforum-en.mailbox.org/topic/lets-talk-about-2fa-on-this-website-again
Related discussions at:
https://userforum-en.mailbox.org/topic/1427-2fa-with-lemonldap-ng-or-keycloak
https://userforum-en.mailbox.org/topic/lets-talk-about-2fa-on-this-website-again
For Two-Factor authentication (2FA) for Mailbox.org Business, for Mailbox.org review, and decision, I suggest considering those three:
• https://lemonldap-ng.org
• https://www.shibboleth.net
• https://www.keycloak.org
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same suggestion as above. But with details if you're interested in those.
All 3 products listed above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM. Shibboleth is my second favorite.
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
About LemonLDAP-NG
Strength:
• LemonLDAP-NG is use as 2FA and MFA by many organizations. One high profile example is the "Document Foundation". Which facilitate the growth of the very popular LibreOffice. You can try LemonLDAP-NG for free at https://auth.documentfoundation.org
• Won OW2 awards:
___• OW2con'14 Community Award
___• OW2con'18 Community Award
• No license fees
• Optional Docker for faster and easier installation at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Free community support at https://lemonldap-ng.org/contact.html
• Libre Source (Open Source). If you are not familiar with "Libre Source", it means this software has both stronger security & stronger privacy. Because its code is publicly available for review and contributions at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng or at https://github.com/LemonLDAPNG/lemonldap-ng
• Attractive GNU General Public License version 2. This means the software code of this extension is owned and supported by a friendly not-for-profit community. Instead of a for-profit corporation. https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/LICENSE
• The main strength of LemonLDAP-NG it that it is owned by a friendly not-for-profit community. Not by a for-profit corporation. Legally speaking, this means that LemonLDAP-NG is directly CONTROLLED by both YOU and its friendly community. Also, not-for profit organization are more likely to value people above money. In comparison, most other Two-Factor Authentication options are owned and controlled by a for-profit organization. Which risk to value money above people.
___• Source about LemonLDAP-NG owned by a friendly not-for-profit community:
______• https://lemonldap-ng.org/team.html
____________• https://archive.ph/7B9Sd
• Easier user interface. With lots of features.
• Many additional features to 2FA and MFA. Such as, but not limited to:
___• SSO
___• OpenID Connect
___• CAS
___• SAML
• User interface adapted for System Administrators
• France Connect certified
• FusionIAM project member
Show Your Support:
• If you enjoy this application, show your support to the authors & contributors with:
___• Join mailing list at https://lemonldap-ng.org/contact.html
___• Contribute to documentation at https://lemonldap-ng.org/documentation/latest/
___• Patch at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
Note:
• Docker container repository at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Screenshots at https://lemonldap-ng.org/screenshots
• Download at https://lemonldap-ng.org/download
• Homepage at https://lemonldap-ng.org
• Support and social media at https://lemonldap-ng.org/contact.html
• Comparison between LemonLDAP-NG and Keycloak. Available in French only at:
___• https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf
___• https://web.archive.org/web/20230504010955/https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf
More screenshots of LemonLDAP-NG
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
If needed, both me and the Ubertus.org team would be happy to contribute testing and documentation for 2FA. Whatever which option Mailbox.org chooses.
For Two-Factor authentication (2FA) for Mailbox.org Business, for Mailbox.org review, and decision, I suggest considering those three:
• https://lemonldap-ng.org
• https://www.shibboleth.net
• https://www.keycloak.org
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same suggestion as above. But with details if you're interested in those.
All 3 products listed above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM. Shibboleth is my second favorite.
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
About LemonLDAP-NG
Strength:
• LemonLDAP-NG is use as 2FA and MFA by many organizations. One high profile example is the "Document Foundation". Which facilitate the growth of the very popular LibreOffice. You can try LemonLDAP-NG for free at https://auth.documentfoundation.org
• Won OW2 awards:
___• OW2con'14 Community Award
___• OW2con'18 Community Award
• No license fees
• Optional Docker for faster and easier installation at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Free community support at https://lemonldap-ng.org/contact.html
• Libre Source (Open Source). If you are not familiar with "Libre Source", it means this software has both stronger security & stronger privacy. Because its code is publicly available for review and contributions at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng or at https://github.com/LemonLDAPNG/lemonldap-ng
• Attractive GNU General Public License version 2. This means the software code of this extension is owned and supported by a friendly not-for-profit community. Instead of a for-profit corporation. https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/LICENSE
• The main strength of LemonLDAP-NG it that it is owned by a friendly not-for-profit community. Not by a for-profit corporation. Legally speaking, this means that LemonLDAP-NG is directly CONTROLLED by both YOU and its friendly community. Also, not-for profit organization are more likely to value people above money. In comparison, most other Two-Factor Authentication options are owned and controlled by a for-profit organization. Which risk to value money above people.
___• Source about LemonLDAP-NG owned by a friendly not-for-profit community:
______• https://lemonldap-ng.org/team.html
____________• https://archive.ph/7B9Sd
• Easier user interface. With lots of features.
• Many additional features to 2FA and MFA. Such as, but not limited to:
___• SSO
___• OpenID Connect
___• CAS
___• SAML
• User interface adapted for System Administrators
• France Connect certified
• FusionIAM project member
Show Your Support:
• If you enjoy this application, show your support to the authors & contributors with:
___• Join mailing list at https://lemonldap-ng.org/contact.html
___• Contribute to documentation at https://lemonldap-ng.org/documentation/latest/
___• Patch at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
Note:
• Docker container repository at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Screenshots at https://lemonldap-ng.org/screenshots
• Download at https://lemonldap-ng.org/download
• Homepage at https://lemonldap-ng.org
• Support and social media at https://lemonldap-ng.org/contact.html
• Comparison between LemonLDAP-NG and Keycloak. Available in French only at:
___• https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf
___• https://web.archive.org/web/20230504010955/https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf
More screenshots of LemonLDAP-NG
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
If needed, both me and the Ubertus.org team would be happy to contribute testing and documentation for 2FA. Whatever which option Mailbox.org chooses.
Hello all two-factor authentication enthusiasts :)
We received this status update from the Mailbox.org team on May 5th, 2023: "As to 2FA for business customers we are currently working on an implementation with Keycloak"
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same message as above. But with details if you're interested in those.
They do not have an estimated time of delivery (ETA)
For those not familiar with Keycloak, it is "an open source software product to allow single sign-on with identity and access management aimed at modern applications and services."
Website https://www.keycloak.org
Video with screenshot https://www.youtube.com/watch?v=RzxzY1dluvo
Video backend https://www.youtube.com/watch?v=K7mjE58hl4I
Video French https://www.youtube.com/watch?v=AxYKRBT9JDw
Source repository https://github.com/keycloak/keycloak
Wikipedia article https://en.wikipedia.org/wiki/Keycloak
Hello all two-factor authentication enthusiasts :)
We received this status update from the Mailbox.org team on May 5th, 2023: "As to 2FA for business customers we are currently working on an implementation with Keycloak"
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same message as above. But with details if you're interested in those.
They do not have an estimated time of delivery (ETA)
For those not familiar with Keycloak, it is "an open source software product to allow single sign-on with identity and access management aimed at modern applications and services."
Website https://www.keycloak.org
Video with screenshot https://www.youtube.com/watch?v=RzxzY1dluvo
Video backend https://www.youtube.com/watch?v=K7mjE58hl4I
Video French https://www.youtube.com/watch?v=AxYKRBT9JDw
Source repository https://github.com/keycloak/keycloak
Wikipedia article https://en.wikipedia.org/wiki/Keycloak
Thanks for the update Francewho!
Thanks for the update Francewho!
I'd appreciate a status report by mailbox.org with an ETA for 2FA/MFA and app passwords.
As a long term customer of mailbox.org, I bring quite same patience to the table.
I had a ticket open in August 2021 in which I asked for MFA for business, the feedback was:
> Um eine 2FA anbieten zu können, sind einige grundsätzliche Anpassungen bei der Authentifizierung im Businessbereich notwendig. Erst danach können wir mit der eigentlichen Implementierung für den zweiten Faktor starten.
> Mit diesen Änderungen haben wir begonnen, aber es liegt noch ein weiter Weg vor uns. Aktuell rechnen wir mit einem Beginn der Umsetzung der 2FA selbst im zweiten Quartal 2022, aber eine Garantie können wir natürlich (noch) nicht geben.
I just listened to Episode 965 of Security Now. The full text as PDF can be found here. I mention this as there is a lengthy section about how the 'I forgot my password links' on all major websites of the Internet makes passwords actually optional. If you want to login, you just click the link and get a one time password via e-mail. This makes e-mail the weakest link in the authentication chain. The episode also talks about passkeys and how they compare against classic user/pw with 2FA.
I feel quite uncomfortable without 2FA on the website and without app password for IMAP mail clients.
Don't want to sound rude, however mailbox.org specifically advertises its security architecture and what it does to protect users, so I would expect this topic to get quite some management attention.
Thanks for any update and this. And don't get me wrong, I like the services that mailbox.org offers and I have a lot of trust on the server side of things. The missing state-of-the-art authentication features however put a lot of burden on the users and their password management skills and also their mail clients.
I'd appreciate a status report by mailbox.org with an ETA for 2FA/MFA and app passwords.
As a long term customer of mailbox.org, I bring quite same patience to the table.
I had a ticket open in August 2021 in which I asked for MFA for business, the feedback was:
> Um eine 2FA anbieten zu können, sind einige grundsätzliche Anpassungen bei der Authentifizierung im Businessbereich notwendig. Erst danach können wir mit der eigentlichen Implementierung für den zweiten Faktor starten.
> Mit diesen Änderungen haben wir begonnen, aber es liegt noch ein weiter Weg vor uns. Aktuell rechnen wir mit einem Beginn der Umsetzung der 2FA selbst im zweiten Quartal 2022, aber eine Garantie können wir natürlich (noch) nicht geben.
I just listened to Episode 965 of Security Now. The full text as PDF can be found here. I mention this as there is a lengthy section about how the 'I forgot my password links' on all major websites of the Internet makes passwords actually optional. If you want to login, you just click the link and get a one time password via e-mail. This makes e-mail the weakest link in the authentication chain. The episode also talks about passkeys and how they compare against classic user/pw with 2FA.
I feel quite uncomfortable without 2FA on the website and without app password for IMAP mail clients.
Don't want to sound rude, however mailbox.org specifically advertises its security architecture and what it does to protect users, so I would expect this topic to get quite some management attention.
Thanks for any update and this. And don't get me wrong, I like the services that mailbox.org offers and I have a lot of trust on the server side of things. The missing state-of-the-art authentication features however put a lot of burden on the users and their password management skills and also their mail clients.
I just checked the settings of my business account. There are app passwords. But not for imap, only caldav/carddav. But I will certainly try this out.
I just checked the settings of my business account. There are app passwords. But not for imap, only caldav/carddav. But I will certainly try this out.
No Imap mail notification on setup is also beyond me, anybody can connect via Imap and you don't know it.
No Imap mail notification on setup is also beyond me, anybody can connect via Imap and you don't know it.
Hi all Mailbox.Org enthusiasts,
While Mailbox.Org are in progress of adding a Keycloak 2FA on business accounts. For those interested in stronger security for your Mailbox.Org business account, I suggest those two workaround steps:
1. Activate this free, easy, and quick Maibox.Org authorized IP(s) feature at https://kb.mailbox.org/en/business/security-privacy-article/ip-whitelisting
2. Optionally, use a free Libre Source (Open Source) self-hosted VPN external server. Which both support and adds 2FA on Mailbox.Org business account IMAP connections.
The end result is that all Mailbox.Org IMAP connections are required to pass both authorized IPs test and the VPN powered 2FA test. For more than a year, this worked really well for us at Ubertus.Org
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same as above. But with details for those interested.
As you probably know, Mailbox.Org said that they already added 2FA on personal accounts. They also said that they are in progress of adding 2FA on business accounts. They do not have an ETA.
For those who missed the news from Mailbox.Org about authorized IP address(es) (whitelisting). Since October 2023, it is now possible to add authorized IP(s) to Mailbox.Org business accounts. This is free and easy to do.
Announcement at https://mailbox.org/en/post/mailbox-org-ip-whitelisting-more-security-for-companies
How-to guide at https://kb.mailbox.org/en/business/security-privacy-article/ip-whitelisting
One benefit of adding authorized IPs is that the attack surface area is greatly reduced. Thus, much stronger security. Including, but not limited to, against brute force attacks. Simply because only authorized IP(s) can make a connection.
For those who do not have a static IP address, you can buy a proxy one. Cost around USD 3 per month. I suggest double-checking that the supplier allows outgoing and incoming IMAP connections. Many suppliers block IMAP ports.
Optionally, after authorizing IP(s), for those who are or who have access to System Administrator and DevOps services, there are many workarounds to add an external 2FA on all connections to Mailbox.Org IMAP business accounts. At Ubertus.Org a long time ago, we added both authorized IPs and 2FA to our critical Mailbox.Org business accounts. Works really well. In summary, it is a free self-hosted Libre Source (Open Source) VPN server. Which includes a 2FA. This VPN is located between the Mailbox.Org authorized IPs and the Mailbox.Org IMAP. All authorized IPS are required to succeed this 2FA before they are allowed to connect with the Mailbox.Org IMAP. I'll try to add another publication here about this.
Hi all Mailbox.Org enthusiasts,
While Mailbox.Org are in progress of adding a Keycloak 2FA on business accounts. For those interested in stronger security for your Mailbox.Org business account, I suggest those two workaround steps:
1. Activate this free, easy, and quick Maibox.Org authorized IP(s) feature at https://kb.mailbox.org/en/business/security-privacy-article/ip-whitelisting
2. Optionally, use a free Libre Source (Open Source) self-hosted VPN external server. Which both support and adds 2FA on Mailbox.Org business account IMAP connections.
The end result is that all Mailbox.Org IMAP connections are required to pass both authorized IPs test and the VPN powered 2FA test. For more than a year, this worked really well for us at Ubertus.Org
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same as above. But with details for those interested.
As you probably know, Mailbox.Org said that they already added 2FA on personal accounts. They also said that they are in progress of adding 2FA on business accounts. They do not have an ETA.
For those who missed the news from Mailbox.Org about authorized IP address(es) (whitelisting). Since October 2023, it is now possible to add authorized IP(s) to Mailbox.Org business accounts. This is free and easy to do.
Announcement at https://mailbox.org/en/post/mailbox-org-ip-whitelisting-more-security-for-companies
How-to guide at https://kb.mailbox.org/en/business/security-privacy-article/ip-whitelisting
One benefit of adding authorized IPs is that the attack surface area is greatly reduced. Thus, much stronger security. Including, but not limited to, against brute force attacks. Simply because only authorized IP(s) can make a connection.
For those who do not have a static IP address, you can buy a proxy one. Cost around USD 3 per month. I suggest double-checking that the supplier allows outgoing and incoming IMAP connections. Many suppliers block IMAP ports.
Optionally, after authorizing IP(s), for those who are or who have access to System Administrator and DevOps services, there are many workarounds to add an external 2FA on all connections to Mailbox.Org IMAP business accounts. At Ubertus.Org a long time ago, we added both authorized IPs and 2FA to our critical Mailbox.Org business accounts. Works really well. In summary, it is a free self-hosted Libre Source (Open Source) VPN server. Which includes a 2FA. This VPN is located between the Mailbox.Org authorized IPs and the Mailbox.Org IMAP. All authorized IPS are required to succeed this 2FA before they are allowed to connect with the Mailbox.Org IMAP. I'll try to add another publication here about this.
Replies have been locked on this page!