Is multi factor authentication practical/feasible?

gene heskett gheskett at
Wed Jul 6 17:17:43 UTC 2022

On 7/6/22 12:09, Jochen Bern wrote:
> On 01.07.22 20:02, Jochen Bern wrote:
>> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH), 
>> POP, and IMAP protocol definitions do not provide elbow room to make 
>> *two* rounds of authentication. (Ever pondered why the admin can 
>> require O365 users to "use 2FA", but users then are still allowed to 
>> create "application passwords", note plural and lack of standard 
>> password features like a limited lifetime for those?)
> On 04.07.22 21:29, Michael Peddemors wrote:
>> The only problem is, having looked at several of these insurance
>> companies forms, it is almost as if a o365 sales person wrote the 
>> requirements.
> On 04.07.22 22:23, gene heskett wrote:
>> This seems to be a place where the ITEF (IETF?)has seriously dropped
>> the ball. They do not well understand the chaos that will be created if
>> THEY do nor set a cast iron std that even Redmond can follow or go home.
>> I don't think we can scream that too loud if THEY don't get off the dime
>> and do something toward setting a standard.
> Speak of the devil ...
> Today, our company got hit by the 
> 48h-unless-your-admins-abort-it-for-NOW rolling outages O365 does as 
> an (un)friendly reminder that (what THEY call) "Basic Authentication" 
> will be disabled on 01-Oct:
> Apparently, they already wrote and published standards on how the 
> world shall introduce "Modern Authentication" (OAuth 2.0) into 
> protocols like POP and IMAP:
> As far as I can see from what I tested today (mainly switching my 
> Thunderbird from "Normal Password" to "OAuth"), Clients effectively 
> *have* to be "also a browser" (rendering the HTML for O365's login 
> prompts, accepting and sending user input, storing the OAuth token as 
> a HTTP cookie) to be able to do that. SMTP remains exempt from the 
> requirement for now, on the theory that printers and the like may want 
> to use it, and not be up to implementing the new stuff. (Otherwise, 
> MS' position can be summarized as "our clients work great, Thunderbird 
> succeded in implementing it, if your client doesn't, go nag the vendor".)
And one more time we have allowed a sworn enemy to set the standard, 
shame on us.
> I wonder when our ticket systems apparently ceased handling e-mails 
> (via SMTP *and IMAP*) outside our office hours so as *not* to qualify 
> for a similar exception.
> Please excuse me for the rest of the day, I need to incinerate a 
> neighbor-of-Nintendo-shaped effigy at today's company BBQ ...
> Regards,

Cheers, Gene Heskett.
"There are four boxes to be used in defense of liberty:
  soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
  - Louis D. Brandeis
Genes Web page <>

More information about the dovecot mailing list