> Full access from any IP (except firehol-blacklist and fail2ban) is > possible over VPN (openvpn) with MFA (privacyidea). > Privacyidea also supplies a mobile-app compatible with a.o. TOTP and > HOTP but it provides a more secure way of enrollment (2-step).
How are you managing dns/clients etc so only the email traffic is goes through the vpn and no other traffic?