Gabriele
Sonicle S.r.l. : http://www.sonicle.com
eXoplanets : https://gabrielebulfon.bandcamp.com/album/exoplanets
Da: paul.dekkers@xxxxxxxxxx
A: Info <info@xxxxxxxxxxxxxxxxxx>
Data: 18 gennaio 2021 10.52.54 CET
Oggetto: Re: two factor auth
Hi,X509/client-certificates actually work very well, I've been using it for quite some time. I guess the client-certificate provisioning is a bit hard for users.I myself was curious about a mechanism via XOAUTH2 authentication that some big players support; (I presume) it means you authenticate once via a web page (option for 2nd factor) and use a bearer token to authenticate from that moment on.I don't think Cyrus SASL supports XOAUTH2 yet; I noticed Dovecot does and was thinking about the option to use Dovecot as a proxy with XOAUTH2 authentication and use authorization (from the admin user) to Cyrus (or try the mechanism in Dovecot first for that matter).I guess there are more clients that support x509 compared to XOAUTH2 though, but you can have users enable less safe mechanisms explicitly perhaps, and support multiple mechanisms.Paul
