Hi, X509/client-certificates actually work very well, I've been using it for quite some time. I guess the client-certificate provisioning is a bit hard for users.
I myself was curious about a mechanism via XOAUTH2 authentication that some big players support; (I presume) it means you authenticate once via a web page (option for 2nd factor) and use a bearer token to authenticate from that moment on. I don't think Cyrus SASL supports XOAUTH2 yet; I noticed Dovecot does and was thinking about the option to use Dovecot as a proxy with XOAUTH2 authentication and use authorization (from the admin user) to Cyrus (or try the mechanism in Dovecot first for that matter). I guess there are more clients that support x509 compared to XOAUTH2 though, but you can have users enable less safe mechanisms explicitly perhaps, and support multiple mechanisms. Paul ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T0cce10bfd349100c-M663860a2f7622c09dcea280e Delivery options: https://cyrus.topicbox.com/groups/info/subscription
