[VladVladikoff]

Holy those checklists are the bane of my existence. For example demanding 2FA for email, which is impossible if you self host, unless you force everyone to use RoundCube, but then you have to answer to the CEO why he can’t get email on his iPhone in the mail app.

Or just loads of other stuff that really only applies to large Fortune 500 size companies. My small startups certainly don’t have a network engineer on staff who has created a network topology graph and various policies pertaining to it, etc etc. the list goes on, I could name 100s of absurd requirements these insurance companies want that don’t actually add any level of security to the organization, and absolutely do not apply to small scale shops.

[briHass]

And... this is why the hyperscale cloud is such a compelling choice, even though it costs 10x what running your own servers would cost.

Adding the security feature(s) you need is just a +$100/m checkbox, and they generally have sane defaults or templates that will position you better than some 3rd party vendor with confusing documentation and infrequent updates that require downtime windows to apply.

[JambalayaJimbo]

Why is 2FA impossible if you self host?

[VladVladikoff]

IMAP is ancient and in its own does not support 2FA. You could do it with webmail clients but you can’t do it with plain ol’ IMAP. I have seen some attempts at it where the password is concatenated with the TOTP, but the nature of mail clients frequent polling means users would be constantly hammers with requests to reauthenticate. There is an RFC for OAUTH2 BEARER support and there are even some servers which support it (eg Stalwart IIRC) however there are literally zero clients which support it (AFAIK). And you especially can’t use any of the main top 10 email clients that most people use, there may be some small obscure mail client that supports it, but even Thunderbird lacks support.

[technion]

I'm mostly with you (see my other comment) but MFA on email really is table stakes and your CEO will be the first to be phished without it.

[noAnswer]

I like to implement independent mail systems. No SSO BS. IT enters the password into the mail client while setting up the laptop and phone. The boss can't be phished if he doesn't know his password (or if the password has no use on the internet).

I also like to put everything behind a VPN (again no SSO). But the bigger the company gets, sooner or later this will come to an end. Because it's not "best practice" to not be phishable. Apparently what is needed are layers and layers of BS "security" products that can be tricked by a kid that has heard of JS. https://browser.security