What measures?
Two-factor for all shell access to network systems.
- Easy to implement for SSH
Mail submission?
- SMTP-AUTH - TLS
Alternatively no remote access to POP3
Access from VPN. Or SSH tunnel.
Initially remote access with TLS and 1-factor auth.
Close off and separate IMAP/POP server once VPN in place.
Authentication
- Create a local CA
or try: http://www.cacert.org/
- Create certs for use by Postfix, Dovecot, SquirrelMail
Can the same CA cert be used to sign all service certs?
Should do. domain should only need to match exactly for the service certs. The CA cert can probably be "phase1". Otherwise how would verisign etc use a single signing cert for the millions of other
Can a single server be used for mail & https authentication?
SASL can probably be configured to delegate to a single server
http://www.openinput.com/auth-howto/
Two-Factor Auth
- Smart Token
http://www.aladdin.com
Suitable for system login and SSL?
Requires client software?