In this page:
they both write:
“However, that means that users on the road or in the office are unable to send mail, which is a real problem for many of our users. This violates RFC 4409 as well and is an outdated configuration. Please try find a configuration that works in all cases, for the sake of the users.”
about IP-restricted SMTP servers, and:
“If you are an ISP, please by all means avoid this. It’s one of those “walls” against which users run the hard way.”
about requiring visiting a web page to “activate” IMAP/SMTP account.
I think this shouldn’t really be discouraged. SMTP and IMAP have no support for more secure authentication methods than a password, so first-time authenticating with for example TOTP or mobile apps aren’t supported either.
Password hacking, especially at SMTP account, are a real problem, and I was required to insert IP restriction on my SMTP & IMAP server to not have bots to guess my password and then start sending spam.
I think Mozilla should encourage a very specific configuration - and that is enabling the login to the email account by “activating” it with a secure method like TOTP or another two-factor method for a particular IP. Could be combined with a client-ip restriction to pre-allow it for example inside a ISP network or specific country (geoIP block). And then require TOTP or additional activation when outside this.