Step 1: You want to set this up because two factor authentication is practically mandatory these days.

Step 2: It’s not (currently) possible.

Step 3: Get sad.

You’re probably quite cross at this point, because my title will have click-baited you into coming here hoping for the answers which I spent a few hours looking for in vain. Let me at least explain myself…

The year is 2024 (and not for much longer), so we all want a second factor of authentication on, well, everything. Although I am (for now) persisting in running my own e-mail system, I’d much rather not run a password database to go with it. For websites it’s straightforward enough to use “sign in with Google” (other tech giants are available) to rid yourself of the worry of running an authentication system.

It’s not just about keeping up with how to store and hash passwords, of course - by handing off the authentication to one of the giants, you can leave them to drop 2FA into the mix and support codes, passkeys, hardware tokens, and so on.

I’ve been meaning to sort out a second factor on my self-hosted e-mail for some time. Of course, any sane corporate entity has had their e-mail locked down tight for a while, so it must be possible, right?

Well, as you probably know, the way Google Apps and Office 365 do it is by using OAuth2. No matter whether you are signing in to the web app, or from a desktop or native app, the sign in takes you to a web browser, and that’s where passkeys, hardware security keys, codes from your phone, or even just an SMS can come into play.

Don’t quote me on this, but I believe Office 365 now only supports this method of signing in, and I suspect Google won’t be too far behind.

On one end of my e-mail setup we have the Dovecot imap server, and there’s a sparse but promising-looking page in their manual about using OAuth2. It even has examples for Google, and I’d be quite happy to extend the “sign in with Google” metaphor to my personal e-mail. Although it’s not clear how one would provide a whitelist of Google accounts one actually wanted to be able to access the Dovecot server.

Where you hit a brick wall, though, is with Thunderbird. Sure, there’s what looks like the right option in the drop-down, but it turns out that it only supports a hard-coded list of providers.

Now, I’m not blaming the Thunderbird developers here. Many are volunteers, and they’ve given an awful lot of value away to people like me who have used their e-mail software for decades without donating a sou in return. However, as is alluded to on that bug and other related threads, the lack of client support for OAuth2 outside of the “big” e-mail providers is effectively a death sentence for self-hosted e-mail. Certainly in a corporate setting, the push for 2FA is rightly proceeding at pace, and those of us doing our own thing for personal reasons ought not to be far behind.

Obviously,I don’t want to say too much about my security arrangements, but I will admit that as a stop-gap I have implemented my own version of device-specific passwords to try and shore things up until I decide where to go from here.

I hear Mutt supports OAuth2, but that’s not great for more “civilian” users. I also see that FastMail are doing the device-specific passwords + 2FA for the web interface, so perhaps that’s what I’ll migrate to in due course.

Oh, and I never even got as far as the sending-outbound-mail side of things - it’s less of a security concern, but it would be nice to have it all harmonized. Any sign of Exim supporting OAuth? Er, no.