Hi, > Unfortunately the best way to do multifactor authentication today is to use > OAUTH2, which isn't currently supported for own installations. Or you can use > client certs. > > If you want to use some kind of MFA with tokens, you end up having to feed > your token all the time. So the best option, for now, is device passwords.
Client certs appears to be a good solution. What's the process for managing them with more than a hundred client accounts? I believe the problem they are trying to solve is hacked accounts from compromised passwords. Does client certs solve that problem? Perhaps there are dovecot (and postfix submission) options to at least restrict access by IP?
