mailcow-dockerized-docs/u_e-mailcow_ui-tfa/index.html

2528 Zeilen
55 KiB
HTML

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<link rel="canonical" href="https://mailcow.github.io/mailcow-dockerized-docs/u_e-mailcow_ui-tfa/">
<link rel="icon" href="../images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-7.3.5">
<title>Two-Factor Authentication - mailcow: dockerized documentation</title>
<link rel="stylesheet" href="../assets/stylesheets/main.cdeb8541.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.3f5d1f46.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font-family:"Roboto";--md-code-font-family:"Roboto Mono"}</style>
<link rel="stylesheet" href="../extra.css">
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<script>function __prefix(e){return new URL("..",location).pathname+"."+e}function __get(e,t=localStorage){return JSON.parse(t.getItem(__prefix(e)))}</script>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#yubi-otp" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="mailcow: dockerized documentation" class="md-header__button md-logo" aria-label="mailcow: dockerized documentation" data-md-component="logo">
<img src="../images/logo.svg" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
mailcow: dockerized documentation
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Two-Factor Authentication
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/mailcow/mailcow-dockerized/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
mailcow/mailcow-dockerized
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="mailcow: dockerized documentation" class="md-nav__button md-logo" aria-label="mailcow: dockerized documentation" data-md-component="logo">
<img src="../images/logo.svg" alt="logo">
</a>
mailcow: dockerized documentation
</label>
<div class="md-nav__source">
<a href="https://github.com/mailcow/mailcow-dockerized/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
mailcow/mailcow-dockerized
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
Information & Support
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Prerequisites
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Prerequisites" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Prerequisites
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../prerequisite-system/" class="md-nav__link">
Prepare your system
</a>
</li>
<li class="md-nav__item">
<a href="../prerequisite-dns/" class="md-nav__link">
DNS setup
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3">
Installation, Update & Migration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Installation, Update & Migration" data-md-level="1">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Installation, Update & Migration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../i_u_m_install/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../i_u_m_update/" class="md-nav__link">
Update
</a>
</li>
<li class="md-nav__item">
<a href="../i_u_m_migration/" class="md-nav__link">
Migration
</a>
</li>
<li class="md-nav__item">
<a href="../i_u_m_deinstall/" class="md-nav__link">
Deinstallation
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Post Installation Tasks
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Post Installation Tasks" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Post Installation Tasks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../firststeps-ssl/" class="md-nav__link">
Advanced SSL
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-disable_ipv6/" class="md-nav__link">
Disable IPv6
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-dmarc_reporting/" class="md-nav__link">
DMARC Reporting
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-ip_bindings/" class="md-nav__link">
IP bindings
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-local_mta/" class="md-nav__link">
Local MTA on Docker host
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-logging/" class="md-nav__link">
Logging
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-rp/" class="md-nav__link">
Reverse Proxy
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-rspamd_ui/" class="md-nav__link">
Rspamd UI
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-snat/" class="md-nav__link">
SNAT
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-sync_jobs_migration/" class="md-nav__link">
Sync job migration
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5">
Models
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Models" data-md-level="1">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Models
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../model-acl/" class="md-nav__link">
ACL
</a>
</li>
<li class="md-nav__item">
<a href="../model-passwd/" class="md-nav__link">
Password hashing
</a>
</li>
<li class="md-nav__item">
<a href="../model-sender_rcv/" class="md-nav__link">
Sender and receiver model
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6">
General Troubleshooting
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="General Troubleshooting" data-md-level="1">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
General Troubleshooting
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../debug/" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../debug-admin_login_sogo/" class="md-nav__link">
Admin login to SOGo
</a>
</li>
<li class="md-nav__item">
<a href="../debug-asan_rspamd/" class="md-nav__link">
Advanced: Find memory leaks in Rspamd
</a>
</li>
<li class="md-nav__item">
<a href="../debug-attach_service/" class="md-nav__link">
Attach a Container
</a>
</li>
<li class="md-nav__item">
<a href="../debug-common_problems/" class="md-nav__link">
Common Problems
</a>
</li>
<li class="md-nav__item">
<a href="../debug-logs/" class="md-nav__link">
Logs
</a>
</li>
<li class="md-nav__item">
<a href="../debug-mysql_upgrade/" class="md-nav__link">
Manual MySQL upgrade
</a>
</li>
<li class="md-nav__item">
<a href="../debug-mysql_aria/" class="md-nav__link">
Recover crashed Aria storage engine
</a>
</li>
<li class="md-nav__item">
<a href="../debug-rm_volumes/" class="md-nav__link">
Remove Persistent Data
</a>
</li>
<li class="md-nav__item">
<a href="../debug-reset_pw/" class="md-nav__link">
Reset Passwords (incl. SQL)
</a>
</li>
<li class="md-nav__item">
<a href="../debug-reset_tls/" class="md-nav__link">
Reset TLS certificates
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7">
Backup & Restore
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Backup & Restore" data-md-level="1">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Backup & Restore
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_1" type="checkbox" id="__nav_7_1" >
<label class="md-nav__link" for="__nav_7_1">
Component backup
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Component backup" data-md-level="2">
<label class="md-nav__title" for="__nav_7_1">
<span class="md-nav__icon md-icon"></span>
Component backup
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../b_n_r-backup/" class="md-nav__link">
Backup
</a>
</li>
<li class="md-nav__item">
<a href="../b_n_r-restore/" class="md-nav__link">
Restore
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../b_n_r-coldstandby/" class="md-nav__link">
Cold-standby (rolling backup)
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_3" type="checkbox" id="__nav_7_3" >
<label class="md-nav__link" for="__nav_7_3">
Manual backups
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Manual backups" data-md-level="2">
<label class="md-nav__title" for="__nav_7_3">
<span class="md-nav__icon md-icon"></span>
Manual backups
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../u_e-backup_restore-maildir/" class="md-nav__link">
Maildir
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-backup_restore-mysql/" class="md-nav__link">
MySQL (mysqldump)
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_4" type="checkbox" id="__nav_7_4" >
<label class="md-nav__link" for="__nav_7_4">
mailcow-internal backups
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="mailcow-internal backups" data-md-level="2">
<label class="md-nav__title" for="__nav_7_4">
<span class="md-nav__icon md-icon"></span>
mailcow-internal backups
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../b_n_r-accidental_deletion/" class="md-nav__link">
Recover accidentally deleted data
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8" type="checkbox" id="__nav_8" checked>
<label class="md-nav__link" for="__nav_8">
Manual/Guides/Examples
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Manual/Guides/Examples" data-md-level="1">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Manual/Guides/Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_1" type="checkbox" id="__nav_8_1" checked>
<label class="md-nav__link" for="__nav_8_1">
mailcow UI
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="mailcow UI" data-md-level="2">
<label class="md-nav__title" for="__nav_8_1">
<span class="md-nav__icon md-icon"></span>
mailcow UI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-bl_wl/" class="md-nav__link">
Blacklist / Whitelist
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-config/" class="md-nav__link">
Configuration
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-css/" class="md-nav__link">
CSS overrides
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-pushover/" class="md-nav__link">
Pushover
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-spamfilter/" class="md-nav__link">
Spamfilter
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-tagging/" class="md-nav__link">
Tagging
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-spamalias/" class="md-nav__link">
Temporary email aliases
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Two-Factor Authentication
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Two-Factor Authentication
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#yubi-otp" class="md-nav__link">
Yubi OTP
</a>
<nav class="md-nav" aria-label="Yubi OTP">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#example-setup" class="md-nav__link">
Example setup
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#u2f" class="md-nav__link">
U2F
</a>
<nav class="md-nav" aria-label="U2F">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#totp" class="md-nav__link">
TOTP
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../u_e-fido2/" class="md-nav__link">
WebAuthn / FIDO2
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_2" type="checkbox" id="__nav_8_2" >
<label class="md-nav__link" for="__nav_8_2">
Postfix
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Postfix" data-md-level="2">
<label class="md-nav__title" for="__nav_8_2">
<span class="md-nav__icon md-icon"></span>
Postfix
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../u_e-postfix-trust_networks/" class="md-nav__link">
Add trusted networks
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-postfix-custom_transport/" class="md-nav__link">
Custom transport maps
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-postfix-extra_cf/" class="md-nav__link">
Customize/Expand main.cf
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-postfix-disable_sender_verification/" class="md-nav__link">
Disable Sender Addresses Verification
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-postfix-attachment_size/" class="md-nav__link">
Max. message size (attachment size)
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-postfix-relayhost/" class="md-nav__link">
Relayhosts
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-postfix-pflogsumm/" class="md-nav__link">
Statistics with pflogsumm
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-postfix-postscreen_whitelist/" class="md-nav__link">
Whitelist IP in Postscreen
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_3" type="checkbox" id="__nav_8_3" >
<label class="md-nav__link" for="__nav_8_3">
Unbound
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Unbound" data-md-level="2">
<label class="md-nav__title" for="__nav_8_3">
<span class="md-nav__icon md-icon"></span>
Unbound
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../u_e-unbound-fwd/" class="md-nav__link">
Using an external DNS service
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_4" type="checkbox" id="__nav_8_4" >
<label class="md-nav__link" for="__nav_8_4">
Dovecot
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Dovecot" data-md-level="2">
<label class="md-nav__title" for="__nav_8_4">
<span class="md-nav__icon md-icon"></span>
Dovecot
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../u_e-dovecot-extra_conf/" class="md-nav__link">
Customize/Expand dovecot.conf
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-any_acl/" class="md-nav__link">
Enable "any" ACL settings
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-expunge/" class="md-nav__link">
Expunge a Users mails
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-fts/" class="md-nav__link">
FTS (Solr)
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-idle_interval/" class="md-nav__link">
IMAP IDLE interval
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-mail-crypt/" class="md-nav__link">
Mail crypt
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-more/" class="md-nav__link">
More Examples with DOVEADM
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-vmail-volume/" class="md-nav__link">
Move Maildir (vmail)
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-public_folder/" class="md-nav__link">
Public folders
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-static_master/" class="md-nav__link">
Static master user
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-dovecot-catchall_vacation/" class="md-nav__link">
Vacation replies for catchall addresses
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_5" type="checkbox" id="__nav_8_5" >
<label class="md-nav__link" for="__nav_8_5">
Nginx
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Nginx" data-md-level="2">
<label class="md-nav__title" for="__nav_8_5">
<span class="md-nav__icon md-icon"></span>
Nginx
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../u_e-webmail-site/" class="md-nav__link">
Create subdomain webmail.example.org
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-nginx/" class="md-nav__link">
Custom sites
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_6" type="checkbox" id="__nav_8_6" >
<label class="md-nav__link" for="__nav_8_6">
Watchdog
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Watchdog" data-md-level="2">
<label class="md-nav__title" for="__nav_8_6">
<span class="md-nav__icon md-icon"></span>
Watchdog
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../u_e-watchdog-thresholds/" class="md-nav__link">
Thresholds
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../u_e-redis/" class="md-nav__link">
Redis
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-rspamd/" class="md-nav__link">
Rspamd
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-sogo/" class="md-nav__link">
SOGo
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_10" type="checkbox" id="__nav_8_10" >
<label class="md-nav__link" for="__nav_8_10">
Docker
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Docker" data-md-level="2">
<label class="md-nav__title" for="__nav_8_10">
<span class="md-nav__icon md-icon"></span>
Docker
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../u_e-docker-cust_dockerfiles/" class="md-nav__link">
Customize Dockerfiles
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-docker-dc_bash_compl/" class="md-nav__link">
Docker Compose Bash Completion
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../u_e-why_unbound/" class="md-nav__link">
Why unbound?
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-autodiscover_config/" class="md-nav__link">
Autodiscover / Autoconfig
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-80_to_443/" class="md-nav__link">
Redirect HTTP to HTTPS
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-reeanble-weak-protocols/" class="md-nav__link">
Re-enable TLS 1.0 and TLS 1.1
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-update-hooks/" class="md-nav__link">
Run scripts before and after updates
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_9" type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9">
Client Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Client Configuration" data-md-level="1">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Client Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../client/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../client/client-android/" class="md-nav__link">
Android
</a>
</li>
<li class="md-nav__item">
<a href="../client/client-apple/" class="md-nav__link">
Apple macOS / iOS
</a>
</li>
<li class="md-nav__item">
<a href="../client/client-emclient/" class="md-nav__link">
eM Client
</a>
</li>
<li class="md-nav__item">
<a href="../client/client-kontact/" class="md-nav__link">
KDE Kontact
</a>
</li>
<li class="md-nav__item">
<a href="../client/client-outlook/" class="md-nav__link">
Microsoft Outlook
</a>
</li>
<li class="md-nav__item">
<a href="../client/client-thunderbird/" class="md-nav__link">
Mozilla Thunderbird
</a>
</li>
<li class="md-nav__item">
<a href="../client/client-windows/" class="md-nav__link">
Windows Mail
</a>
</li>
<li class="md-nav__item">
<a href="../client/client-windowsphone/" class="md-nav__link">
Windows Phone
</a>
</li>
<li class="md-nav__item">
<a href="../client/client-manual/" class="md-nav__link">
Manual configuration
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_10" type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10">
Third party apps
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Third party apps" data-md-level="1">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Third party apps
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../third_party-borgmatic/" class="md-nav__link">
Borgmatic Backup
</a>
</li>
<li class="md-nav__item">
<a href="../third_party-exchange_onprem/" class="md-nav__link">
Exchange Hybrid Setup
</a>
</li>
<li class="md-nav__item">
<a href="../third_party-gitea/" class="md-nav__link">
Gitea
</a>
</li>
<li class="md-nav__item">
<a href="../third_party-gogs/" class="md-nav__link">
Gogs
</a>
</li>
<li class="md-nav__item">
<a href="../third_party-mailman3/" class="md-nav__link">
Mailman 3
</a>
</li>
<li class="md-nav__item">
<a href="../third_party-mailpiler_integration/" class="md-nav__link">
Mailpiler Integration
</a>
</li>
<li class="md-nav__item">
<a href="../third_party-nextcloud/" class="md-nav__link">
Nextcloud
</a>
</li>
<li class="md-nav__item">
<a href="../third_party-portainer/" class="md-nav__link">
Portainer
</a>
</li>
<li class="md-nav__item">
<a href="../third_party-roundcube/" class="md-nav__link">
Roundcube
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#yubi-otp" class="md-nav__link">
Yubi OTP
</a>
<nav class="md-nav" aria-label="Yubi OTP">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#example-setup" class="md-nav__link">
Example setup
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#u2f" class="md-nav__link">
U2F
</a>
<nav class="md-nav" aria-label="U2F">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#totp" class="md-nav__link">
TOTP
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/mailcow/mailcow-dockerized-docs/edit/master/docs/u_e-mailcow_ui-tfa.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z"/></svg>
</a>
<h1>Two-Factor Authentication</h1>
<p>So far three methods for <em>Two-Factor Authentication</em> are implemented: U2F, Yubi OTP, and TOTP</p>
<ul>
<li>For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key.</li>
<li>Both U2F and Yubi OTP work well with the fantastic <a href="https://www.yubico.com">Yubikey</a>.</li>
<li>While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS.</li>
<li>U2F and Yubi OTP support multiple keys per user.</li>
<li>As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually.</li>
</ul>
<p>As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in.</p>
<p>The key used to login will be displayed in green, while other keys remain grey.</p>
<p>Information on how to remove 2FA can be found <a href="https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_pw/#remove-two-factor-authentication">here</a>.</p>
<h2 id="yubi-otp">Yubi OTP<a class="headerlink" href="#yubi-otp" title="Permanent link">&para;</a></h2>
<p>The Yubi API ID and Key will be checked against the Yubico Cloud API. When setting up TFA you will be asked for your personal API account for this key.
The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are stored in the MySQL table as secret.</p>
<h3 id="example-setup">Example setup<a class="headerlink" href="#example-setup" title="Permanent link">&para;</a></h3>
<p>First of all, the YubiKey must be configured for use as an OTP Generator. To do this, download the <code>YubiKey Manager</code> from the Yubico website: <a href="https://www.yubico.com/support/download/">here</a></p>
<p>In the following you configure the YubiKey for OTP.
Via the menu item <code>Applications</code> -&gt; <code>OTP</code> and a click on the <code>Configure</code> button. In the following menu select <code>Credential Type</code> -&gt; <code>Yubico OTP</code> and click on <code>Next</code>.</p>
<p>Set a checkmark in the <code>Use serial</code> checkbox, generate a <code>Private ID</code> and a <code>Secret key</code> via the buttons.
So that the YubiKey can be validated later, the checkmark in the <code>Upload</code> checkbox must also be set and then click on <code>Finish</code>.</p>
<p>Now a new browser window will open in which you have to enter an OTP of your YubiKey at the bottom of the form (click on the field and then tap on your YubiKey). Confirm the captcha and upload the information to the Yubico server by clicking 'Upload'. The processing of the data will take a moment.</p>
<p>After the generation was successful, you will be shown a <code>Client ID</code> and a <code>Secret key</code>, make a note of this information in a safe place.</p>
<p>Now you can select <code>Yubico OTP authentication</code> from the dropdown menu in the mailcow UI on the start page under <code>Access</code> -&gt; <code>Two-factor authentication</code>.
In the dialog that opened now you can enter a name for this YubiKey and insert the <code>Client ID</code> you noted before as well as the <code>Secret key</code> into the fields provided.
Finally, enter your current account password and, after selecting the <code>Touch Yubikey</code> field, touch your YubiKey button.</p>
<p>Congratulations! You can now log in to the mailcow UI using your YubiKey!</p>
<h2 id="u2f">U2F<a class="headerlink" href="#u2f" title="Permanent link">&para;</a></h2>
<p>To use U2F, the browser must support this standard.</p>
<p>The following desktop browsers support this authentication type:</p>
<ul>
<li>Edge (&gt;=79)</li>
<li>Firefox (&gt;=47, enabled by default since version 67)</li>
<li>Chrome (&gt;=41)</li>
<li>Safari (&gt;=13)</li>
<li>Opera (40, &gt;=42, not 41)</li>
</ul>
<p>The following mobile browsers support this authentication type:</p>
<ul>
<li>Safari on iOS (&gt;=13.3)</li>
<li>Firefox on Android (&gt;=68)</li>
</ul>
<p>Sources: <a href="https://caniuse.com/u2f">caniuse.com</a>, <a href="https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/">blog.mozilla.org</a></p>
<p>U2F works without an internet connection.</p>
<h3 id="totp">TOTP<a class="headerlink" href="#totp" title="Permanent link">&para;</a></h3>
<p>The best known TFA method mostly used with a smartphone.</p>
</article>
</div>
</div>
<a href="#" class="md-top md-icon" data-md-component="top" data-md-state="hidden">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"/></svg>
Back to top
</a>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../u_e-mailcow_ui-spamalias/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Temporary email aliases" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Temporary email aliases
</div>
</div>
</a>
<a href="../u_e-fido2/" class="md-footer__link md-footer__link--next" aria-label="Next: WebAuthn / FIDO2" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
WebAuthn / FIDO2
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">
<div class="md-footer-copyright__highlight">
Copyright &copy; 2021 André Peters
</div>
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
<div class="md-footer-social">
<a href="https://mailcow.email" target="_blank" rel="noopener" title="mailcow.email" class="md-footer-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><path d="M248 8C111.03 8 0 119.03 0 256s111.03 248 248 248 248-111.03 248-248S384.97 8 248 8zm82.29 357.6c-3.9 3.88-7.99 7.95-11.31 11.28-2.99 3-5.1 6.7-6.17 10.71-1.51 5.66-2.73 11.38-4.77 16.87l-17.39 46.85c-13.76 3-28 4.69-42.65 4.69v-27.38c1.69-12.62-7.64-36.26-22.63-51.25-6-6-9.37-14.14-9.37-22.63v-32.01c0-11.64-6.27-22.34-16.46-27.97-14.37-7.95-34.81-19.06-48.81-26.11-11.48-5.78-22.1-13.14-31.65-21.75l-.8-.72a114.792 114.792 0 0 1-18.06-20.74c-9.38-13.77-24.66-36.42-34.59-51.14 20.47-45.5 57.36-82.04 103.2-101.89l24.01 12.01C203.48 89.74 216 82.01 216 70.11v-11.3c7.99-1.29 16.12-2.11 24.39-2.42l28.3 28.3c6.25 6.25 6.25 16.38 0 22.63L264 112l-10.34 10.34c-3.12 3.12-3.12 8.19 0 11.31l4.69 4.69c3.12 3.12 3.12 8.19 0 11.31l-8 8a8.008 8.008 0 0 1-5.66 2.34h-8.99c-2.08 0-4.08.81-5.58 2.27l-9.92 9.65a8.008 8.008 0 0 0-1.58 9.31l15.59 31.19c2.66 5.32-1.21 11.58-7.15 11.58h-5.64c-1.93 0-3.79-.7-5.24-1.96l-9.28-8.06a16.017 16.017 0 0 0-15.55-3.1l-31.17 10.39a11.95 11.95 0 0 0-8.17 11.34c0 4.53 2.56 8.66 6.61 10.69l11.08 5.54c9.41 4.71 19.79 7.16 30.31 7.16s22.59 27.29 32 32h66.75c8.49 0 16.62 3.37 22.63 9.37l13.69 13.69a30.503 30.503 0 0 1 8.93 21.57 46.536 46.536 0 0 1-13.72 32.98zM417 274.25c-5.79-1.45-10.84-5-14.15-9.97l-17.98-26.97a23.97 23.97 0 0 1 0-26.62l19.59-29.38c2.32-3.47 5.5-6.29 9.24-8.15l12.98-6.49C440.2 193.59 448 223.87 448 256c0 8.67-.74 17.16-1.82 25.54L417 274.25z"/></svg>
</a>
<a href="https://github.com/mailcow" target="_blank" rel="noopener" title="github.com" class="md-footer-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 480 512"><path d="M186.1 328.7c0 20.9-10.9 55.1-36.7 55.1s-36.7-34.2-36.7-55.1 10.9-55.1 36.7-55.1 36.7 34.2 36.7 55.1zM480 278.2c0 31.9-3.2 65.7-17.5 95-37.9 76.6-142.1 74.8-216.7 74.8-75.8 0-186.2 2.7-225.6-74.8-14.6-29-20.2-63.1-20.2-95 0-41.9 13.9-81.5 41.5-113.6-5.2-15.8-7.7-32.4-7.7-48.8 0-21.5 4.9-32.3 14.6-51.8 45.3 0 74.3 9 108.8 36 29-6.9 58.8-10 88.7-10 27 0 54.2 2.9 80.4 9.2 34-26.7 63-35.2 107.8-35.2 9.8 19.5 14.6 30.3 14.6 51.8 0 16.4-2.6 32.7-7.7 48.2 27.5 32.4 39 72.3 39 114.2zm-64.3 50.5c0-43.9-26.7-82.6-73.5-82.6-18.9 0-37 3.4-56 6-14.9 2.3-29.8 3.2-45.1 3.2-15.2 0-30.1-.9-45.1-3.2-18.7-2.6-37-6-56-6-46.8 0-73.5 38.7-73.5 82.6 0 87.8 80.4 101.3 150.4 101.3h48.2c70.3 0 150.6-13.4 150.6-101.3zm-82.6-55.1c-25.8 0-36.7 34.2-36.7 55.1s10.9 55.1 36.7 55.1 36.7-34.2 36.7-55.1-10.9-55.1-36.7-55.1z"/></svg>
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": ["navigation.top"], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.8397ff9e.min.js", "version": null}</script>
<script src="../assets/javascripts/bundle.1e84347e.min.js"></script>
<script src="../clients.js"></script>
</body>
</html>