Indeed, but the application specific passwords are constant. You need to assess your threat model and your risk appetite, but an application-specific password is on the one hand good, because an attacker who learns it "only" has access to your email (which is small comfort if the email permits password resets on other accounts, of course) but has that access on an ongoing basis. Certainly, if your security policy mandates 2FA, then application-specific passwords won't satisfy that requirement.
ian
On 15/01/2021, 18:37, "Adam Tauno Williams" <awilliam@xxxxxxxxxxxxx> wrote:
On Fri, 2021-01-15 at 17:44 +0000, Ian Batten via Info wrote:
> No, because IMAP clients are continuously creating and destroying
> IMAP sessions.
> The correct solution if you need two-factor authentication for a mail
> server is to put the IMAP service behind a VPN server and permit
> access to email only via the VPN, which in turn has two-factor
> authentication.
Stacks like Office365 "solve" the two factor authentication requirement
in the case of services like IMAP & SMTP by having "application
passwords". So my IMAP password is distinct from my user password; it
is both machine generated [longish and random] and also does not
expire.
------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T0cce10bfd349100c-M8b945e23c9c1181d97e993e5
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
