With the world of ransomware as it is today (aka attacks seem more vicious and commonplace), anything I expose to WAN must have additional protection. I've seen a few posts to this list on it. The only thing that helped was that Dovecot supports OAuth. Through OAuth I figure I could implement MFA. However, I'd have to host my own identity server. >From there, Thunderbird supports OAuth so that should work.
Since this is getting increasingly complicated, I wanted to ask before going further. What do you all do? Any recommendations?