@@ -161,6 +161,9 @@ If the sender's address is spoofed, the reject notice is delivered to the spoofe
...
@@ -161,6 +161,9 @@ If the sender's address is spoofed, the reject notice is delivered to the spoofe
`FROM` address, which can cause the mail server's IP or domain to appear on a block
`FROM` address, which can cause the mail server's IP or domain to appear on a block
list.
list.
WARNING:
Users can use the incoming email features without having to use two-factor authentication (2FA) to authenticate themselves first. This applies even if you have [enforced two-factor authentication](../security/two_factor_authentication.md) for your instance.
### Linux package installations
### Linux package installations
1. Find the `incoming_email` section in `/etc/gitlab/gitlab.rb`, enable the feature
1. Find the `incoming_email` section in `/etc/gitlab/gitlab.rb`, enable the feature
@@ -107,6 +107,8 @@ Enforcement affects all [direct and inherited members](../user/project/members/i
...
@@ -107,6 +107,8 @@ Enforcement affects all [direct and inherited members](../user/project/members/i
Access tokens are not required to provide a second factor for authentication because
Access tokens are not required to provide a second factor for authentication because
they are API-based. Tokens generated before 2FA is enforced remain valid.
they are API-based. Tokens generated before 2FA is enforced remain valid.
The GitLab [incoming email](../administration/incoming_email.md) feature does not follow 2FA enforcement. Users can use incoming email features such as creating issues or commenting on merge requests without having to authenticate themselves using 2FA first. This applies even if 2FA is enforced.
### 2FA in subgroups
### 2FA in subgroups
You can enable and enforce 2FA for individual subgroups in the same way as a top
You can enable and enforce 2FA for individual subgroups in the same way as a top
