First, Josh, MANY thanks for having Your Box in the Internet universe!
Second, is there a way to use other than Plain Text Password over TLS?
Clear options would be (Kerberos, Challenge-Response, Encrypted Password, OATH)
As for 2FA (OATH), I’ve seen some discussion here, but no real plan or ETA for implementation.
I know I am bit paranoid suggesting a second layer of encryption atop of TLS.
In light of Heartbleed, DROWN-SSLv2 and a flood of other CVEs around, even if MIAB would not be vulnerable to some/all, having a second layer of protection (Kerberos, CRAM or similar challenge response) would highly increase the comfort level of administrators and users alike.
2FA would help as well, especially HW-based like Yubikey.
I’ve just run into this. MD5’s weakness notwithstanding, CRAM-MD5 is more secure than PLAIN or LOGIN as it’s resistant to replay attacks and doesn’t expose passwords - just look on Stack Overflow for many SMTP transcripts that expose these! I’ve just migrated 50 or so users to MIAB and the previous server had CRAM-MD5, and it not being available on MIAB means a whole load of unnecessary support.