New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I've never heard of mail servers associating passwords with IPs. Lots of people these days use imap clients on mobile devices, which get assigned new ip's all the time, or desktop pc's on dynamic addresses.
I think your best bet is to get the webmail, outbound smtp, imap, and pop ports off the internet entirely, so they can only be accessed through a VPN. Then you can set up the VPN to require 2FA for activation. At the end of the day it's still email though, with all kinds of interception opportunities before it even arrives at your server. Outbound email security also depends on the security of the receiving party, which you have no control over and which is usually crap.
By combining your password and 2FA token you're completely missing the point of 2FA. 2FA is supposed to require a completely second method of authentication (server generates a one time use token, you are sent it in an app or SMS or something).
All you're doing is letting me put a bit of a string in as my password, and adding a bit on the end
Long app-specific passwords (such as Google's implementation) would be far better since none of the password is user-specified
Securing webmail etc. with 2FA is good, and should be encouraged. I'll agree with you wholeheartedly on that
RE the Zoho/WHMCS thing - this is where good user permissions come in to play. Only people who need to see those settings get to see those settings. Every user should be as restricted as possible (this includes directors of companies etc. too. They're normally the biggest targets!)
Rainloop does support 2FA and offers a free version. https://www.rainloop.net/