Page 2 of 2

Re: Don't get phished! Says Sonic Support, but no MFA on email?

Posted: Wed Sep 22, 2021 5:24 pm
by kgc
Interesting. It looks like there's a quasi standard for adding OAUTH2 support to POP/IMAP and SMTP. However, this is more or less what I meant by tokenized authentication combined with an OOB push. Presumably the push auth is done when it's initially setup and when the token expires?

Re: Don't get phished! Says Sonic Support, but no MFA on email?

Posted: Fri Sep 24, 2021 6:28 am
by abrinton
Thanks for the reply, Kelsey. I know there are many issues with legacy clients, and blocking them by implementing something like MFA. However, the OAUTH2 integration looks like it would basically close the hole. Having the option to turn this on by account and/or mailbox would be HUGE. Hopefully your mail server has a way to implement and support this!!

On a slightly different but related thought, why do you guys need to run a mail services in house? Maybe migrating customer mailboxes to a 3rd party provider would be easier in the long run? I know in the corporate world very few people run email any more. I'm sure the calculation is a bit different for a provider, but hopefully Sonic has considered that...

Re: Don't get phished! Says Sonic Support, but no MFA on email?

Posted: Wed Sep 29, 2021 5:44 pm
by kgc
abrinton wrote:
On a slightly different but related thought, why do you guys need to run a mail services in house? Maybe migrating customer mailboxes to a 3rd party provider would be easier in the long run? I know in the corporate world very few people run email any more. I'm sure the calculation is a bit different for a provider, but hopefully Sonic has considered that...


That's complicated. ;)

Dovecot does have OATUH support but I'm not sure if the implementation would match our use case or what it would take for us to setup a suitable OAUTH provider. One time passwords would be easier for us to implement but we'll look into this too.