>>implement XOAUTH2 (which hopefully will already be supported by the client)
Most MUAs don't support this except with a predefined list of providers. For example, Samsung Email only support XOAUTH2 for Gmail, Yahoo, Hotmail/Outlook, Exchange and Office365 servers. All other don't support it. Not even auth methods that are technically possible in software (like certificate auth that should require no software changes except for a certificate picker GUI since its handled by the system) is supported by for example Samsung Email. Outlook on PC I don't know if they support it, if they actually query the server for XOAUTH2-support or If it just compares the part after @ that the user entered, with a hard-coded (or Microsoft-server-side) list of providers which they know support XOAUTH2. Windows Mail for Windows 11 support the following XOAUTH2 providers: Outlook.com, Office 365, Gmail, Yahoo and iCloud (Apple). So SADLY. Forget XOAUTH2. Better with the auth scheme I suggest, but with maybe a /24 cutoff so it will allow everything from a.b.c.0 to a.b.c.255 if there is a problem with users having to "reauthenticate" every day. That’s still gonna limit attack surface greatly. Or tie it to ASN ID, or Netname in WHOIS, or use FCrDNS to authenticate, like take the PTR, do a forward check on the domain, then take the SLD and TLD (so 123.123.123.123.dyn.isp.org becomes isp.org) and then add that domain to user auth list. Theres a lot of tinkering you can do with IP-numbers to "fine tune" an authentication system so it doesn't false trip on legitimate users. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
