Authentication Methods (IMAP + SMTP)

First, Josh, MANY thanks for having Your Box in the Internet universe!

Second, is there a way to use other than Plain Text Password over TLS?
Clear options would be (Kerberos, Challenge-Response, Encrypted Password, OATH)
As for 2FA (OATH), I’ve seen some discussion here, but no real plan or ETA for implementation.

I know I am bit paranoid suggesting a second layer of encryption atop of TLS.


I’d like to add 2FA one day, but I don’t see a simple way to add it.

I don’t see the point of the others.


In light of Heartbleed, DROWN-SSLv2 and a flood of other CVEs around, even if MIAB would not be vulnerable to some/all, having a second layer of protection (Kerberos, CRAM or similar challenge response) would highly increase the comfort level of administrators and users alike.

2FA would help as well, especially HW-based like Yubikey.

Thanks again, Josh!

I’ve just run into this. MD5’s weakness notwithstanding, CRAM-MD5 is more secure than PLAIN or LOGIN as it’s resistant to replay attacks and doesn’t expose passwords - just look on Stack Overflow for many SMTP transcripts that expose these! I’ve just migrated 50 or so users to MIAB and the previous server had CRAM-MD5, and it not being available on MIAB means a whole load of unnecessary support.