The thing is, that people must stop expecting "being able to access mail whenever you are" without extra steps.
Best solution is to offer a webmail with TOTP or SQRL or similiar secure auth method.
Then have that webmail adds IP or country into trusted list, so if you want to access IMAP mail or SMTP mail from hotel wifi, you have to simply do one single login to webmail, and then your IMAP/SMTP will work as usual.
The problem with certificates, is as I said, not many clients support them. Outlook support them natively, I don't know if Windows Mail support them, and I don't know if Samsung Mail do support them (maybe they do support client certificates in Enterprise mode, but then you need a license for that), K9 mail I know support them, other built-in email clients I don't know if they support client certificates.
The solution I have on my email is a OpenVPN connection to my server, which is protected. My phone has a 24/7 connection to that VPN server, and thus im able to lock out all logins outside from VPN.
-----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org <dovecot-bounces@dovecot.org> För @lbutlr Skickat: den 15 juli 2021 18:37 Till: dovecot mailing list <dovecot@dovecot.org> Ämne: Re: 2FA/MFA with IMAP & postfix/submission
On 2021 Jul 15, at 08:52, Alex <mysqlstudent@gmail.com> wrote:
Client certs appears to be a good solution.
A solution, certainly. A GOOD solution? Not really.
What's the process for managing them with more than a hundred client accounts?
And that's the first issue.
The second issue is "my primary device is not available, I need to login from this other computer or use my phone which is unsuitable for this task. Too bad I have no choice but to use the phone because this computer doesn’t have the cert."
And then you have the "now that I've installed this cert, theis computer is considered trusted" which is another issue.
2FA is a lot more flexible and robust.
OATH works well. SQRL looks promising though it requires a web UI I to do the authentication (and SQRL does away with passwords as well).
I believe the problem they are trying to solve is hacked accounts from compromised passwords. Does client certs solve that problem?
Maybe. Depends on if the hacker can get access to the user's machine or not.
Perhaps there are dovecot (and postfix submission) options to at least restrict access by IP?
It is certainly possible in Postfix, but that opens up its own issues. It may be acceptable in some corporate environs, but in most situations being able to access your email wherever you are is a requirement.
-- The wages of sin is death, but so is the salary of virtue, and at least the evil get to go home early on Fridays. --Witches Abroad