move webauthn/fido2
Dieser Commit ist enthalten in:
andryyy
Ursprung
be3d3acbb6
Commit
107c39f1ef
3 geänderte Dateien mit 16 neuen und 29 gelöschten Zeilen
|
|
@ -1,28 +0,0 @@
|
||||||
# Fully supported hashing methods
|
|
||||||
|
|
||||||
The most current mailcow fully supports the following hashing methods.
|
|
||||||
The default hashing method is written in bold:
|
|
||||||
|
|
||||||
- **BLF-CRYPT**
|
|
||||||
- SSHA256
|
|
||||||
- SSHA512
|
|
||||||
|
|
||||||
The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value.
|
|
||||||
|
|
||||||
## Read-only hashing methods
|
|
||||||
|
|
||||||
The following methods are supported **read only**.
|
|
||||||
|
|
||||||
- MD5-CRYPT
|
|
||||||
- PLAIN-MD5
|
|
||||||
- SHA512-CRYPT
|
|
||||||
|
|
||||||
That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database.
|
|
||||||
|
|
||||||
The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords.
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
> I changed the password hashes in the "mailbox" SQL table and cannot login.
|
|
||||||
|
|
||||||
A "view" needs to be updated. You can trigger this by restarting sogo-mailcow: `docker-compose restart sogo-mailcow`
|
|
||||||
15
docs/u_e-fido2.md
Normale Datei
15
docs/u_e-fido2.md
Normale Datei
|
|
@ -0,0 +1,15 @@
|
||||||
|
## How is UV handled in mailcow?
|
||||||
|
|
||||||
|
The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey).
|
||||||
|
|
||||||
|
## Login and key processing
|
||||||
|
|
||||||
|
mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory.
|
||||||
|
|
||||||
|
A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login.
|
||||||
|
|
||||||
|
When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory.
|
||||||
|
|
||||||
|
## Who can use WebAuthn to login to mailcow?
|
||||||
|
|
||||||
|
As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2.
|
||||||
|
|
@ -44,7 +44,6 @@ nav:
|
||||||
- 'ACL': 'model-acl.md'
|
- 'ACL': 'model-acl.md'
|
||||||
- 'Password hashing': 'model-passwd.md'
|
- 'Password hashing': 'model-passwd.md'
|
||||||
- 'Sender and receiver model': 'model-sender_rcv.md'
|
- 'Sender and receiver model': 'model-sender_rcv.md'
|
||||||
- 'WebAuthn / FIDO2': 'model-fido2.md'
|
|
||||||
- 'Debugging & Troubleshooting':
|
- 'Debugging & Troubleshooting':
|
||||||
- 'Introduction': debug.md
|
- 'Introduction': debug.md
|
||||||
- 'Logs': 'debug-logs.md'
|
- 'Logs': 'debug-logs.md'
|
||||||
|
|
@ -70,6 +69,7 @@ nav:
|
||||||
- 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md'
|
- 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md'
|
||||||
- 'Tagging': 'u_e-mailcow_ui-tagging.md'
|
- 'Tagging': 'u_e-mailcow_ui-tagging.md'
|
||||||
- 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md'
|
- 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md'
|
||||||
|
- 'WebAuthn / FIDO2': 'u_e-fido2.md'
|
||||||
- 'Postfix':
|
- 'Postfix':
|
||||||
- 'Custom transport maps': 'u_e-postfix-custom_transport.md'
|
- 'Custom transport maps': 'u_e-postfix-custom_transport.md'
|
||||||
- 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md'
|
- 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md'
|
||||||
|
|
|
||||||
Laden …
In neuem Issue referenzieren