dovecot - Oct 2020 - SV: SV: Looking for a guide to collect all e-mail from the ISP mail server

I would have to also hack the email client since I don't enter my 20
character high entropy password when I send or retrieve email.

You really need an email standard to integrate TOTP. To be realistic, you need
Gmail to use it. Whatever Gmail wants is essentially a defacto standard. I live
in the real world, so whatever Google wants, I comply.







? Original Message ?


From: jtam.home at gmail.com
Sent: October 27, 2020 3:57 PM
To: dovecot at dovecot.org
Subject: Re: SV: Looking for a guide to collect all e-mail from the ISP mail
server


On Tue, 27 Oct 2020, Sebastian Nielsen wrote:
> Kind of stupid that there doesn't exist some common standard for 2FA
that
> works in email clients.
You can bodge it for HOTP/TOTP hardware token generators.? Dovecot allows
custom plugins to check passwords.? The plugin can take passwords of
the form {password}+{2fa-token}, then split each part to check against
authentication systems to check validity.

Joseph Tam <jtam.home at gmail.com>

>>Whatever Gmail wants is essentially a defacto standard.
Gmail have solved it with a Oauth authorization scheme. Basically, first time
setting up mail, you are asked to authenticate by 2FA in a webview, then a
shared secret is established, that is used during SMTP and IMAP time.
Both Hotmail and Gmail is using this hackish webview solution for Outlook
integration (and integration in some other email clients).

Thats why Google and Microsoft have their own buttons inside Outlook and some
other mail clients.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5715 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20201028/bc0fd4f6/attachment-0001.p7s>

And which email clients can do this? 

A defacto standard needs to be adopted. If I don't provide SPF or DKIM, I am
likely to be deemed spammy, hence a defacto standard has been established. I
don't see this with TOTP.

I'm all for TOTP, but I'm not going to code my own. 





	? Original Message ?	


From: sebastian at sebbe.eu
Sent: October 27, 2020 5:56 PM
To: dovecot at dovecot.org
Reply-to: dovecot at dovecot.org
Subject: SV: SV: Looking for a guide to collect all e-mail from the ISP mail
server

>>Whatever Gmail wants is essentially a defacto standard.
Gmail have solved it with a Oauth authorization scheme. Basically, first time
setting up mail, you are asked to authenticate by 2FA in a webview, then a
shared secret is established, that is used during SMTP and IMAP time.
Both Hotmail and Gmail is using this hackish webview solution for Outlook
integration (and integration in some other email clients).

Thats why Google and Microsoft have their own buttons inside Outlook and some
other mail clients.