Currently we are taking a closer look at Mailcow and we might even switch our mail server. During testing we found one particular case surprisingly hard to solve: what if a user locks herself out of the SOGo Web-UI by loosing her second factor (2FA)?
The second factor is a time-based one-time password (OTP) provided by the Google Authenticator or a similar App on your phone. It is a 6 digit code changing every 30 seconds. Without this code on your phone nobody can log in even if the password got stolen. This is good news… until your phones breaks.
This was our test scenario: how can an administrator disable the 2F without logging in as the user in trouble? This was surprisingly difficult.
No Button in the Admin UI
We did not find any button or whatsoever to disable the 2FA in the Mailcow administration UI. Maybe it is there or will be in future. Currently we did not find it.
No effect executing sogo-tool
After some internet research we came across the following solution.
In our case however the command had no effect. The value of SOGoGoogleAuthenticatorEnabled did not change in the database and the user was unable to log in. We did not investigate but started editing the database directly.
Direct update of the database
As last resort we disabled 2FA directly in the database. Note that the structure of the database might change in future. Please double-check before copy-pasting the following commands.
After some time (maybe due to some caching) the user was able to login without the 6-digit OTP. In her settings 2FA is disabled.
I hope you find this blog post helpful. If you have any comments, suggestions or question, feel free to contact us.