From 08fd44e9944a26075cf75bdee0bb59b62f6a8e1d Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 03:51:31 +0200 Subject: [PATCH] Some minor corrections --- docs/bl_wl.md | 4 +++- docs/images/bl_wl.png | Bin 0 -> 12338 bytes docs/ssl.md | 4 ++-- docs/tfa.md | 16 ++++++---------- 4 files changed, 11 insertions(+), 13 deletions(-) create mode 100644 docs/images/bl_wl.png diff --git a/docs/bl_wl.md b/docs/bl_wl.md index 31561e858..08b925537 100644 --- a/docs/bl_wl.md +++ b/docs/bl_wl.md @@ -1,3 +1,5 @@ -Edit a domain as (domain) administrator to add an item to the filter table. +To add or edit an entry to your **domain wide** filter table, login to your *mailcow UI* as (domain) administrator. + +![Black- and Whitelist configuration](images/bl_wl.png) Beware that a mailbox user can login to mailcow and override a domain policy filter item. diff --git a/docs/images/bl_wl.png b/docs/images/bl_wl.png new file mode 100644 index 0000000000000000000000000000000000000000..3619868f54571b218c378cb3045b9ddece06391d GIT binary patch literal 12338 zcmd6N2Ut^Gw`MGeAA*QdM4AdH9R#Ebh)8eJI|$N3@6~{cfYOVAlz_C*L3#%@(wlT4 zBteiGNTh@aA!H8z-)(d6%ri50W}bT<%1+KXd#}CL+UtGS-s|lX9aS2t8&n_=h(=xQ zu|5cNJ{D+?Uc3PO?J{~*00P|vsXtaU49eL?4!N=rPRKiGa#5P`eDF$|En}9lYGe=MO z@O*f9v*@caNu`A1kAl6>g3oJtYUvHV4$H14X3$?0La#RfcRYr`jg@O-d7*+CLmMAZ zt(ZB$YP6poF~#c8&eC5zzuys3?jltA@TS+ZN#IV4U?|I96z9%R91FHob{bHr0LF9_ z^s9Atmo8n@f0S}+#TSuwf)orF&(mAhajBO~=cFqs)`&FNa~rbpP(#D@OBb<ey;we=WxVQJeccPPpodqeNKVr_6 zKmzHh&+oT97ucZ6FE=o{dF5O0z!rGb{M7;jj1~l{o^^;-?i?C_rKu~v$<%2gz{hTE zR0aI7mv=xXHAFrv?oPhMjat+?JN{$=9!D-P#U3kew){4I`S4*Yd~#3Nzx;3&_|`zZB0L};%yJTK`fsLee2eKmY!tW3y1t;ig=3_yYWiNI(7nS`rBc#Ly94~j@}$~YQe}a z$~eefQ;N>QK%L)adTR~kUtLV|pFaHjt!_r*GGz&p>BZ%1LrkL~=3yZxq)8VuUG^HD z^#sgDebvjtNcfj`UDZUI${Q8ZRUEqa?TsFdlyyv`c!TzJ_7VScDbT_79$go_`*M-nSttj!|u=4gUb~% z3y5?EDi??Cr|T^$odkQ{(kDUMl+$hH(V-zHQ~KCn_DlO`K%chT2hQ2SW0d=*<*I}z z8h0C{ej#m{mwzsny&6i-^TTk4;G$H6+b;`_}F;$hE&kObMB(2>$N)fEyHWq z_rDF;j~(dT(aHX^F53Hg3I-&@w{m_0T5Nz!c;htb_s=FWPzMnN&8dKeAiNMqWd!K- zM;E7u0YmIU=-n!I>ZrT^o7ZruKf{IBqI#WJl-X$2Jznzy_Uro?9aL!zS9(y?#bRlK zDW8P~d^DMwFE{wat0UFEwoq1189I-e|2Dbu;jChyHS+lCC{13MBx>BAx2 zL3p=P*BQ`L>;l4WTs$#to8sd%{2E(^AVo$ll$IQ%u4z0c`^-5shDFgDW;)f*yIk6I zPpMXIv-Eu^?3d4zmk*yL=E-wNg{Zwh3wqk+uQNzRan{@%`3t2fK*3->mkWMSh&AI< zchyvkG;Zpch5L@Ym6$O;^%B;mcc!7R$5KTPMYe`ZvTfLjv;p{yc*2H{+UJ#|nu`)4 z^QTUVMSWq6%~c4mUQh{M7wH@tV_z%3)|Y2`>RC@h6Ehm>0>YHOrgrv?mQCYJsLnsS z<|%>9o^_S2?{{hwnI_Dkn!bE~@#x3G?~QYy7p?mLh_?47Sy&&KvA1L_iT5(Z9#nEu zDCq*y?S4JjOga1cqWk|`LBQTvGeQ??3V-wZm)db~pITR2kXX3cwk!-BUMvZf0>gg!adKeDCZ;i=Cco zMgE6JKla4Zq8#D?yYah5P$F{*jJ}6LO{w^<-+;7+FTvFK=7ZJWevj>O&&$P`s^Tw;43$; zsR%KhS$^_Fb7to2shSUcLRwaH)UD(?^=nImOpO{h8#;HJa?LdX`^<03K9mr6RtZ3) zd4OjWQral^*~ow;q^DqVGb)w8vSeNeyYaN9(nQLhK##UNNecQHkTIoYVe$>~k&?g(y-c@K-$|^ABD(fN* z%Zc%o{@Og$>pYFNCU7c>b5!Re%xjGsjpR8@)*33)o_HiFJ9$y zR~=Pva7aP`7`3^osR-CV0kS#A1J8|Oq!PsJq`p2VkB|nN_O7$y!1p`0sGA!KzU~RK zVddC)7^Nq9H{UiEJQexyRHUd+cgF8~c(*e8d7w^=PLq%4u=eSilLrV1!1Na7WvV>E z(o!d7P5>Q|eEEM!7XN>7FG98Hy9OZXliNx7(W=$42(LAifAZK6|a3 zvwGIwEkk|CFyO0Hzl43Z#cb7(2sLw*|E#a*eV?(VwowvR;;3&fnc%35%0>Y|@3Qe` z>+#BQ{6R7`{7LJy99id1xmw#D@a`a5n8EMoWki1;{m^VlE)%(h*mr-ha`IO@hUW1N zOP#aRUM5y!v8#7v=T5e_c^HzR3u#>O=t=e{Ga}sV!0OAnA7=s!uhiPVPZt;hkDKbR z6s8jnw;5ymB}^2XGOzX&ocWoX?GGhdImDcJ=YR>kyQq=dIBidCta6pP1}sfJ+)8~g zE-NPE1}gOMO_|}yU&i&7$L4o@itWa=wU)p9@@*=lD~)R346zn(o*po^OSg;c{V6Pe zrT!qAbdffdj@^riicWKfw8uH!h^(ZZH1^c&*aiZ0zXUwl9rn1^nagJkpIt)on1{r4 z1lIS5PM$I@1NHlz-x@fY)8q#GW70cnzQgi0+H11RD|pxv2gRwCm%#UlRG&KImwD*Y z9Im6rJN)3#NA1;GqC$u|dsVwZlPsnvwu2DK44Ak73@ioZnU^xe9c>#Griz#+)-e1Z#>k-dtKvzEi&P~4#+i;c{JP6&1S_?BOT0>&T&0|ww=WZ3bbW6|KP8B=+C=9{v|VKymK z?(DpF^Dc20-8yHH#%58>{<7uOF2pr{zZq~5C#)bd#oVe4S;>2?QN`nC>gxTJ;dT}W zO})t^wxOWC_f1;d#DJraTQwS;Wz|K!Va8F+Y)6tTOr^c?&nA4dj~;+C>o_A6E)=GR zPaR!v&UIwVK$qfK$F|G2g$(Sb{70>wMeUVS2aB#*zwtSlaOW17{Oe(6<%Gve9t+np zD@{P(bKZd{i(mpC`~Amg33yP%y?6r5ki`U7y<-=QDMolWH;W!qcj;kHL@`TWp&jae3r9bBau3pY@~n{$Ur4`(6jfI%=TGexz9%8dr*Vw{_Y&&D~YaY*b)v#Ochh zsZY>!h8;ZYvlZ>Lk3NMOII*bDz2WA+VZsLuptWb# z;J`aw(M*~0ut!q=vll$+<}?U*?_vG70yWw zXSocc+jeD7+FM2kNT)Yzt9x-2P0)j7*@1>u5D1dJ4SJERAe5h!T}QE^!Md z__(%|wej6|&vFDR4ZOysE{!nknl@_BO<|C(sXGcxGM6b(E0@^!C0|CkGhC1mP@hkn z)0mFNJx5`%$pVx5Va)+Qj+V?|VRA+7@2e??PWv zAZ}NiH@>?TaJ79ipnbE+)kCrLcG)(2v6oEWQJe3+pp|PpM|I6ZBlcQ(DBdo<@|YHJ zS;$R6tojnUg;etFuAl)1>x8#79Jhq5cZ@wy$apWQzS$H=IfLlmxXc_d51GK#k!;D` zC5XGxHGpk{Y!%p=J#|~dtpdX(Tv*yZhFLgxl5{qGiScq1es9B^(}5+P`{-*5Se5?m zV|xo2wOIKhhmYuNST}Ua$tl~ts?WV=uklh|vO5sCEqM`Y`t96hRUzAIhef`h_)^NP zco@|M32|91Mb!fECtTnm5dnYh9>Hge3cZ|t{H>G&Io+W+>SDLTssOPy`q-_a0DgZO zC2VH*g4jq9kz6B*!L4W!Ka9pIrxH7UAjSoHZtt=O>$VX)ny>T}sK~?AcGX5mubW>^ z`Resh(M;Ft^~_*Ufx><_=K#&!nso=9AD_3L2%R?8>ldi_wjAeynu1@ua753f(x5CUk z$bNSP$))&vTcn|c3iL<3n|awwoL_e9%ktwxN~RiQVtY>kGGJDgG>;BZxZ0^XKDb@& z)5Ht^IF-^%E7?Oj8zrce7!HX;ggKfqop=+K3<|FpaINI*=GG0rWFg_(hmWZRi1d4R z)Hh`)T2SLJzywb4uDtZ10}=l6#AQidIs`dZ7dN?uIE~j^W4-Q5g)^S@vaNaRk{b;_ z&4~GCVJshmj%{0j0OgRakr-4rvW}kLfdmM!r7<+ptEUM+S82M1p!O|x;{*rFZL@w8 zrJifrVE-g@BTLZ-yVeNXlN4f;rtF{^K@}gZ3@lGCD%R(?hh%&>j27E&34mmrNe*4T zOBfbKod9d?C{!9F|DB&P9=E6Bsaj7T+aLO~(>A;h(FB+%KG=-MSC! zhJt-{7H`h>}cZZy@2wm2Jq%ZWGmErlcFOh3oumCk7!0hiX7 z12HQ`71JHYf#exMf__8Lh8oPaKSo-)s1~lRC*YHA8^h^#ttn4ET!Bnnew5ngpXvB` zJHX**BEo3RX+Ai$D1h@W{9{QL)}J9(2*Gig9h}vmn_x;16I#}S%)iHbLrHTj?(1KU z+;eNtVB%i`t%(oAw1TcT4bS2cFM51;a+USvI8xbsA7L9v+ePw-7}zwni9u3(1p_C( zwXJ~;q_`h1-$Y2MIAnXcA_WKSr`$A0kU=)JrTHl4X}SA^F6E8q!_tNQq%n)iByTaD zXS+e%xH7!}9~)pMI{OT+Ig=L}vIF<@xNzA{K4X?YbD8@Pb2g1$KaZMeu$^$MHV!aLpD>T@u=xjJ(zbtG&sa*v91 zNOPi6LmaA%t<6{0=XK=Gj7>PH?fiO7O)YPWDwuoaYZX|L@Ap+-+*jPY?PMk8PBhF- zH2-+Kr|^2lHZ3IqIY3Fn__9QtLKrklD#D%a?(zS(9 zovA>F>?kI7p-Ecp`Ysg@;rF5NQ2~v4SPE873byT8JPrvU%TLJ+4mPBqJQ?Pq+sB0l^o%DN0W`;AJ8Xl}* zfpaHdM5!&xw2bHCES|<>2oFoPu3>$~#D~P(IwHuk*;U<{4jk_;G)L5;S!z$=tUnZ< zp>!KJqJ*-DvrEpQ=??649BXqQY`A(3H=-{9u$&lGflOGjp{J7DY?^kjLncgM$oMu? zw!6&Y&K=+Wk*{qdoDM18W?1BCYUV2f)U0H@8plW1$PnL4AA2`#tgl!8p8ZsiEBh;;jX(hkCm3jQjK`I=uFNsLDoAu&Za_t*n|?%O`19RIaW^~$?UMJz8{ccyH&c&}+y%I7segE;|2AG%a@pbO$X0u*oR2|U{SCl`>3ZL3^duLml+1DdFy3hXh|5i z33*AE(|DK)6Wc!VhmtbIbm7hUMGoaptT|f4`tYqJbJbvF0nKq!tpPVh)w%UU8d~9T zT5W5adqFW_ zEHo4NdM}+W3megni~^GF;tH)hRizs_;7)~At(+c3Y$k{M-0C7t{JpXM&{-fAe-Zf& zAR*#{+;zpW*_4ka?XsiYFM_>b6Q}0)D-N>b1?1i`oL^ghAN5qL*K^KkPk&?TqAMRMv*m zJc^=*zjIf8H@G^T8*u(SFG$SUD8)K2^}DBzoTVI7n(cLS&$ik!2p2-c-gJC}$Pc2W zVy67$etQ}8e&!KF?A47p(TxT>0PIER)lFb5XB4SEQETXFM%fOC0KW2N3U0J?@H8o< z$RnH61Ed1H)}n3C3Ys)8wbLu!_ESX~t4G=PH|URI4!W+r8*Y)*su+{ku8lBK8$otO-!-apyS>%Vy@clvKE%Et;Yk0--%tf__GY}Kz~K8(R(h2olag5 zn0&oysonTfF{4sxtD#E8awE-F=xlWxvbt?MYfol0S#mKS;ZJ^+=IKA}VGn(BjbBp+ zC#%JOf4>0}$5Pi}(4e|62ZMS?I}iF0%L`w24es}HcoVxx5_dz+5$H~ha|Wbx( z9n+G}C$=YNERgvnetpOj&y1TC3z~r3%@J|uo=RLY5-4wIcbT1?ZZ~cU9JFh;@O6ZLO0UUQ(7-bk(pOsOVJ4{tV84yeMxjT# zq|PgPukK`T(82}4EzJZiYt>SGu=hXKK1Y&zgNq*|kMhg~UXv*KjZE9<(plL|F^?f6 zpo%939mO=h+Lcf0o}o482C}Be-NQnA43MleeeKHWDh%xG^p)#o7zoODQTUOAa#y)J zXg^cZovX0Xor~Uu=_Z}UN&@2{fMp<35h=jf$U@OvU)%X>lE(o6Kfq1+OpI^Y;VF1G zoaMNOMC_IK0Pn59soy#c>{S}E2~avkE0w3Zex^RUsQ(GB*n7r{1#mmZ#w-7HIJ|KA|IHz7$`ntJ!(F~WITkTY z9?oz|-=#Tt!+X0|fSa!hlXV~1`K0WZ0;~xVdS)A=jA<%Ua}n8^64mS3jpt7cRdD35 zRj|5P=5Sks-Adle(*JiDX%Et1VcZ#d=-nfzv@*j09FKy8BIA4kR|CChZ@k%4Q0*pG z@SZ`BtP4R&q`5cMJU9TrNW|ey|99Bn_7G)4#bvZ-`XPG-BFWbDw#pfh7ouMZp5zT| z`&wMm1E70Ibi0yI-6C`Tkd7bWX2FgFPHVSMYXL;2)`|EU`nnk9+jWAPJAPsIBBg1w z46)zq1T8WjDM#6s%k9@^-G*(CJ~kMCBM1lfZd4d_u?g30&?4t9-3$3$F&fyOoP3(~ zR++2sI2(?uJ+8H%Arc!{nCEsNX|t0tDsGv^k0}VAa~_VJKl+4qfyi}v)Ig&AdkEw! zE3obD-7mGgmK}F`0&4okPOl;*iLIv8YHTnjjawag&_ykVg{<)~WkCDO=F*C)ee^Wn z?)FSpvlKTBt7+hkP4rEQ{T{=h%zJZfl5T(~%mcdjy8LOx+`4iZUZ zEHL$Z7sF%ip|Q#5V(#KsY%IvjzslaaIb)x7@QJQPg;z)x+n)cdnHM3_fDSbGExeKn zeQ@K@jLT}zde&D@S*-ExGKK?&?)gz;+r_=DB8X!@1MGysp8MI(lhDaIoSDEr&aqp} z3a_%j%EAZZA(b>9D^eIx#PPt;o>lZR2(;%6@M|-~R2y+Q>|Fv+Ey7QSMo3Cwsmfg6 zxafh1mK;;(73X>U{-?736yobR(rW+M5nL6>h^7N$ev8BR_h`e}_5`I>zl0Djt~VvT zO8_YOWH}xwdDG*@{C4PePCAtNw_DaqSuyA6HRU#%Ib%zc?(Ea!d?x1TQ>#2Me_^L* z0<#S&ITL6>VV2x6sHZ7S=uI3!wrqW0OfCob!tC|qOiygDgED~<6`LKUQH2GB$jha> zPh)iSr5_N2MdH|KEp#fLC6Vecv+-AZUr0LLJ`=_QHXNrzgN?4nRL>d>DW_%aZt#IX zPp^w!K6U*=aY9dlM+MiU22DpsgFufqyz_$fro^7;a0{`m%17dkY;w0qb%2~8JZ`Af zu(SBl9U-{LG~2EjZ}u;F%)PiS*SQi_m1j}i>4zSx_VZ@y`tndC;fVVOlh#QtlD?wU znnY}Ln!Y&<`b0BAGAze2xUH&VD@dI#)C&p%y_ib^ToX92ssIjz?h~%nEk~%n+B|%( z#eeS?>LkRx$zh<0Q^VmBrw$vIFC%VHTu^zLcbk1XKS){_va0Z@|fxAFxJBlzPvA7O}&S+KVR59QA3HR=U5yl2oFcnXb%CAkZhHKkJ>D zK9>DOkwZd9-zTj$nqoJLmDT%kfKM;RoX%x|I!2jb?Ybp*0cNE0nBnc$cWY6JfWn3T zyvzH)S84Mf9G*AR_Ye2h z+E0AX(Xul~2V9Gfi?BU~3;YQwhbdM*?6}mpq8J@Uj8|!InsI5|-&yYCch7DK4l*!(swBKu+QXOUCdV*bXC&gQp3L$POFN3u_+IR zDwgl4*pQbwj+*xC#%iEL~WMrZsx)`+{C zn)Y?EcOI0(p9t)WI^z-NAcW#;O(EOF5CgzPCv=N5jy8vc?XTNH@c8b1gT3c1HQnK5 zHC;hmoX2YD=Oz=~WPIZnTP2&yu)@5k^D?jKML7DUT6pbQ|7dtKj3HL0Z+;GCjCIgC z+-B>xI?AT<35O?z^JudPA zqDOZBRzZi8Js}Jd9UsN9^?Hh%edOal=GAdYzBCPwr#`)V)6Hb#GQ)2!-@j!HkVD{+ z93-V+0t7Cyk8eivlaVH()Jo)j^5dkltMts2l96%e{#XH7W0zbsxtSmlYcXGz8x0Hb zR`Rr9Q_sW0F>Kpg^mzC|(;n%l$vXV^)=7K8bNQO8DsA`f>UFINFsaeny*rJ|-<)AZ zB0Pz!6B$}HGNSG7(J^t5T`pTJ);a8s*|s+8S!%L&_rM^d+hSy82R*y=Yj-~rQLz~o zNBPI*Jxd8q5_{#jexnMQOZxEDjW43J{DYnzF2247hfBHgp?NtQ4%MYL2Ql-bo@M@b zro)4(sA=|ubEP-&8;GN zKCNQbDdl_YXwdWQZpxPXsv+2a-*Gu@GY`t+>+^gmY)=c(nt`S366*}wdDPvIQ_IRE zxz9(AxE3~Q9T2j+D;Kr;D5^HzMbeFMJk1keG_!>4vX?0EJQc(T*jSsXvv4NXctF7v*p7Js-U zsftpy@bby5-G-vD>$WD40? zazH!v4Xy;_JPimaA6eiRE|PnEx`L_nJ-ZGcMcML@SL08JX!524#oGKy%?T;>h5{MU z%KOsKS0S{A5I?Kog&=p^U zeyLxaKyo$>6lp6jL7L}e_b_

Tp4v6BXQ>n0p%W@L|xH+0Sp6k>hTdXjV72dr`+1&Rm-uqzgXb6|f4`}A=F)#>IHp*c63+(wjI6;}Q(}c_Y??8UrY97X1 zdpfF95pw9F>a@A;A7&uiGs~BOcJ{>hs3H$y5cBg3-yFM2mq!m-yHLa6wU76Ga;Kzc zDi-)5QnGots;+E>+`O-lol=W?1pRCai~0Ha3F9z}P)~*R{M%}u6K_&1N+biU?4JXj z+zY$p{X=A~M65#TG?TFoisZAhV~s*SkU7}fadkiOV$YE&neNKgk$(V~=?@x;j^b}E zQ{VnO3eW<@F6z+Kz>vMRb;}`Zflck=kZ9e3mh7AUGr=X$=hm{avV2(j#(IM(;k&ei zgT#O7=Dto^oY;%MBd*+gJG#X_00dvrzd(G&UGbnoF#Z92<=Tt1j6fTp1%wYbUbOf8 zeGe<+o8Aa~mu3{Yue`=*Yh@9O=J$a~Tv1P@_LEPCCNW1hRX0RIqVypz(Pu zLBIYrZvIUUY)U4_cXoE5(K(2VdeBjL=MKM!@V|a;waaw>2b>ZLMIy!IycD2N=*Dti zB9O;|UQovUp&@5LmeBy){U5O^5XeNaHy`;JSYe=QIFaCM{dcwYr|tix+U);;G5(*D zzyF}Cwcc1|4*BP&HRj-dsr)`I0KfDNAb3H(Jq6w56AR#%2o>h~r^@hu6o|XG9T0Kd z7+g2GtJQ8Ch^7N`%Kxs9=f6JyF?Me?MmfbVAONOt@>>b$to^j_wM*LnrrunI#f?KD zYzpYF`t&g;CnvG#Fh?Oq5-yxPIX9On15G$N-qR)R^l|*#VH%`e!cPuMfcvAPqx;=t z63#JJnWS8JDtR~w&-CAkoiGpZ2RYy5^}&DM^-%ctEPjkkInmVPJss{Wltza;^XX literal 0 HcmV?d00001 diff --git a/docs/ssl.md b/docs/ssl.md index aa672f37c..9ebccb7a9 100644 --- a/docs/ssl.md +++ b/docs/ssl.md @@ -1,6 +1,6 @@ mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate in `data/assets/ssl`. Please use your own trusted certificates. -mailcow uses 3 domain names that should be covered by your new certificate: +mailcow uses **at least** 3 domain names that should be covered by your new certificate: - ${MAILCOW_HOSTNAME} - autodiscover.**example.org** @@ -35,7 +35,7 @@ certbot certonly \ ``` **Remember to replace the example.org domain with your own domain, this command will not work if you dont.** - + 4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder: ``` bash mv data/assets/ssl/cert.{pem,pem.backup} diff --git a/docs/tfa.md b/docs/tfa.md index 60ad71df0..674a88ea6 100644 --- a/docs/tfa.md +++ b/docs/tfa.md @@ -1,14 +1,10 @@ -So far three methods for TFA are implemented. +So far three methods for *Two Factor Authentication* are implemented: U2F, Yubi OTP, and TOTP -FOr U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. - -Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). - -While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. - -U2F and Yubi OTP support multiple keys per user. - -As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those psaswords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. +- For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. +- Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). +- While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. +- U2F and Yubi OTP support multiple keys per user. +- As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those psaswords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in.