[MlMt] Follow Up to Email Concerns

Niels Kobschätzki niels at kobschaetzki.net
Thu Jun 24 23:29:32 EDT 2021

Yeah imap and 2FA is a problem. I looked into it some time ago because I wanted to implement it for my employer because we have a medium-sized commercial email-platform. Adding 2FA to a web-application is no problem these days. But with imap the only chance I see are only workarounds for the setup like application specific passwords or oauth-tokens. Both are not that simple to implement actually depending on your used technology for your user database.
You might be able to hack yourself some true 2FA into your imap-server like Dovecot with a custom implementation but what would the workflow would look like?
You cannot tell through imap “trust this device for x amount of days” since clients do not offer an Interface for something like that and nothing like this is in the RFCs for imap. And they don’t have an Interface for the second factor (might use the password input though). 
Thus the only chance to not have a completely annoying workflow would mean that you need to keep open the connection with the imap-server. IMAPidle might do that. But idle is not available on mobile clients. Thus on your phone you would to log in to your account each time you open up the app. 
So it would be actually somehow doable but the costs for the provider would be just too high. They would need to develop some authentication extension for their used server-application. Then they would probably need to convince client-developers for adding support for this to their clients. And now we are in the “only players like Google are big enough to be important enough that client-devs might consider it” ant then they have to support it. And for the mobile clients that will be annoying and will probably create lots of calls. 
I guess they still have imap running but allow it only from their webmail-interfaces via some internal connections. 

Yes, it sucks for you and anyone with a decent e-mail-workflow but I kind of understand it. 



> On 25. Jun 2021, at 02:36, Harvey Leff <hsleff at gmail.com> wrote:
> alleged
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2481 bytes
Desc: not available
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20210625/c98105b1/attachment.bin>

More information about the mailmate mailing list