Indeed, but the application specific passwords are constant. You need to assess your threat model and your risk appetite, but an application-specific password is on the one hand good, because an attacker who learns it "only" has access to your email (which is small comfort if the email permits password resets on other accounts, of course) but has that access on an ongoing basis. Certainly, if your security policy mandates 2FA, then application-specific passwords won't satisfy that requirement. ian On 15/01/2021, 18:37, "Adam Tauno Williams" <awilliam@xxxxxxxxxxxxx> wrote: On Fri, 2021-01-15 at 17:44 +0000, Ian Batten via Info wrote: > No, because IMAP clients are continuously creating and destroying > IMAP sessions. > The correct solution if you need two-factor authentication for a mail > server is to put the IMAP service behind a VPN server and permit > access to email only via the VPN, which in turn has two-factor > authentication. Stacks like Office365 "solve" the two factor authentication requirement in the case of services like IMAP & SMTP by having "application passwords". So my IMAP password is distinct from my user password; it is both machine generated [longish and random] and also does not expire. ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T0cce10bfd349100c-M8b945e23c9c1181d97e993e5 Delivery options: https://cyrus.topicbox.com/groups/info/subscription