We need a way to distinguish between internal and external connections, based on Source IP, and we need better control over what external access is allowed, by protocol and user.

- We should be able to configure some user accounts for internal access only.

- We should be able to configure two-factor authentication so that it is only required on external connections.

- We should be able to control, per user and per protocol, whether external access is allowed.

- For protocol control purposes, the technologies which share port 443 should be treated as separate protocols   (Webmail, EAS, EWS, MAPI).   These should each be configurable for whether external access is allowed at all.  When allowed, we should be able to control whether  it is allowed for all accounts or only specific individuals.   

Firewall rules can be used to block all external access to a specific protocol, but they cannot provide user-level control.   WAF technology must be added to distinguish between the different sub-protocols using port 443.   This is difficult because SmarterTools has not tested or documented integration between WAF technology and SmarterMail.

All access methods other than Webmail allow data to be retrieved by an email client and stored externally on the client device.  This is an inherent security risk because the security posture of the client device is unknown, and unsecured data is a problem for multiple regulatory schemes.