diff --git a/.travis.yml b/.travis.yml
index 8ca14149..47a34c19 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -44,8 +44,8 @@ jobs:
       - UPSTREAM_TAG=master
     name: upgrade-from-upstream
     install:
-      - sudo tests/system-setup/upgrade-from-upstream.sh basic
+      - sudo tests/system-setup/upgrade-from-upstream.sh basic totpuser
     script:
       # launch automated tests, but skip tests that require remote
       # smtp support because Travis-CI blocks outgoing port 25
-      - sudo tests/runner.sh -dumpoutput -no-smtp-remote default upgrade-basic
+      - sudo tests/runner.sh -dumpoutput -no-smtp-remote upgrade-basic upgrade-totpuser default
diff --git a/api/mailinabox.yml b/api/mailinabox.yml
index 57ba5aa4..a9a2c124 100644
--- a/api/mailinabox.yml
+++ b/api/mailinabox.yml
@@ -8,7 +8,7 @@ info:
     This API is documented in [**OpenAPI format**](http://spec.openapis.org/oas/v3.0.3).
     ([View the full HTTP specification](https://raw.githubusercontent.com/mail-in-a-box/mailinabox/api-spec/api/mailinabox.yml).)
 
-    All endpoints are relative to `https://{host}/admin` and are secured with [`Basic Access` authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
+    All endpoints are relative to `https://{host}/admin` and are secured with [`Basic Access` authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). If you have multi-factor authentication enabled, authentication with a `user:password` combination will fail unless a valid OTP is supplied via the `x-auth-token` header. Authentication via a `user:user_key` pair is possible without the header being present.
   contact:
     name: Mail-in-a-Box support
     url: https://mailinabox.email/
@@ -46,6 +46,9 @@ tags:
   - name: Web
     description: |
       Static web hosting operations, which include getting domain information and updating domain root directories.
+  - name: MFA
+    description: |
+      Manage multi-factor authentication schemes. Currently, only TOTP is supported.
   - name: System
     description: |
       System operations, which include system status checks, new version checks
@@ -1662,6 +1665,101 @@ paths:
             text/html:
               schema:
                 type: string
+  /mfa/status:
+    post:
+      tags:
+        - MFA
+      summary: Retrieve MFA status for you or another user
+      description: Retrieves which type of MFA is used and configuration
+      operationId: mfaStatus
+      x-codeSamples:
+        - lang: curl
+          source: |
+            curl -X POST "https://{host}/admin/mfa/status" \
+              -u "<email>:<password>"
+      responses:
+        200:
+          description: Successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/MfaStatusResponse'
+        403:
+          description: Forbidden
+          content:
+            text/html:
+              schema:
+                type: string
+  /mfa/totp/enable:
+    post:
+      tags:
+        - MFA
+      summary: Enable TOTP authentication
+      description: Enables TOTP authentication for the currently logged-in admin user
+      operationId: mfaTotpEnable
+      x-codeSamples:
+        - lang: curl
+          source: |
+            curl -X POST "https://{host}/admin/mfa/totp/enable" \
+              -d "code=123456" \
+              -d "secret=<string>" \
+              -u "<email>:<password>"
+      requestBody:
+        required: true
+        content:
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/MfaEnableRequest'
+      responses:
+        200:
+          description: Successful operation
+          content:
+            text/html:
+              schema:
+                $ref: '#/components/schemas/MfaEnableSuccessResponse'
+        400:
+          description: Bad request
+          content:
+            text/html:
+              schema:
+                type: string
+        403:
+          description: Forbidden
+          content:
+            text/html:
+              schema:
+                type: string
+  /mfa/disable:
+    post:
+      tags:
+        - MFA
+      summary: Disable multi-factor authentication for you or another user
+      description: Disables multi-factor authentication for the currently logged-in admin user or another user if a 'user' parameter is submitted. Either disables all multi-factor authentication methods or the method corresponding to the optional property `mfa_id`.
+      operationId: mfaTotpDisable
+      requestBody:
+        required: false
+        content:
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/MfaDisableRequest'
+      x-codeSamples:
+        - lang: curl
+          source: |
+            curl -X POST "https://{host}/admin/mfa/totp/disable" \
+              -u "<email>:<user_key>"
+      responses:
+        200:
+          description: Successful operation
+          content:
+            text/html:
+              schema:
+                $ref: '#/components/schemas/MfaDisableSuccessResponse'
+        403:
+          description: Forbidden
+          content:
+            text/html:
+              schema:
+                type: string
 components:
   securitySchemes:
     basicAuth:
@@ -2529,3 +2627,54 @@ components:
       type: string
       example: web updated
       description: Web update response.
+    MfaStatusResponse:
+      type: object
+      properties:
+        enabled_mfa:
+          type: object
+          properties:
+            id:
+              type: string
+            type:
+              type: string
+            label:
+              type: string
+          nullable: true
+        new_mfa:
+          type: object
+          properties:
+            type:
+              type: string
+            secret:
+              type: string
+            qr_code_base64:
+              type: string
+    MfaEnableRequest:
+      type: object
+      required:
+        - secret
+        - code
+      properties:
+        secret:
+          type: string
+        code:
+          type: string
+        label:
+          type: string
+    MfaEnableSuccessResponse:
+      type: string
+    MfaEnableBadRequestResponse:
+      type: object
+      required:
+        - error
+      properties:
+        error:
+          type: string
+    MfaDisableRequest:
+      type: object
+      properties:
+        mfa_id:
+          type: string
+          nullable: true
+    MfaDisableSuccessResponse:
+      type: string
diff --git a/conf/mfa-totp.schema b/conf/mfa-totp.schema
new file mode 100644
index 00000000..89f65dca
--- /dev/null
+++ b/conf/mfa-totp.schema
@@ -0,0 +1,65 @@
+#
+# MiaB-LDAP's directory schema for time-based one time passwords (TOTP)
+#
+# MiaB LDAP UUID(v4): 7392cdda-5ec8-431f-9936-0000273c0167
+#                 or: 1939000794.24264.17183.39222.658243943
+#
+
+objectIdentifier MiabLDAProot 2.25.1939000794.24264.17183.39222.658243943
+
+objectIdentifier MiabLDAPmfa MiabLDAProot:1
+objectIdentifier MiabLDAPmfaAttributeType MiabLDAPmfa:2
+objectIdentifier MiabLDAPmfaObjectClass MiabLDAPmfa:3
+
+# secret consists of base32 characters (see RFC 4648)
+
+attributetype ( MiabLDAPmfaAttributeType:1
+	DESC 'TOTP secret'
+	NAME 'totpSecret'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+	X-ORDERED 'VALUES'
+	EQUALITY caseExactIA5Match )
+
+
+# tokens are a base-10 string of N digits, but set the syntax to
+# IA5String anyway
+
+attributetype ( MiabLDAPmfaAttributeType:2
+	DESC 'TOTP last token used'
+	NAME 'totpMruToken'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+	X-ORDERED 'VALUES'
+	EQUALITY caseExactIA5Match )
+
+# the time in nanoseconds since the epoch when the mru token was last
+# used. the time will also be set when a new entry is created even if
+# the corresponding mru token is blank
+
+attributetype ( MiabLDAPmfaAttributeType:3
+	DESC 'TOTP last token used time'
+	NAME 'totpMruTokenTime'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+	X-ORDERED 'VALUES'
+	EQUALITY caseExactIA5Match )
+
+# The label is currently any text supplied by the user, which is used
+# as a reminder of where the secret is stored when logging in (where
+# the authenticator app is, that holds the secret). eg "my samsung
+# phone"
+
+attributetype ( MiabLDAPmfaAttributeType:4
+	DESC 'TOTP device label'
+	NAME 'totpLabel'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+	X-ORDERED 'VALUES'
+	EQUALITY caseIgnoreIA5Match )
+
+
+# The TOTP objectClass
+
+objectClass ( MiabLDAPmfaObjectClass:1
+	NAME 'totpUser'
+	DESC 'MiaB-LDAP TOTP settings for a user'
+	SUP top
+	AUXILIARY
+	MUST ( totpSecret $ totpMruToken $ totpMruTokenTime $ totpLabel ) )
diff --git a/ehdd/startup.sh b/ehdd/startup.sh
index 73ce06aa..ad4bd6dd 100755
--- a/ehdd/startup.sh
+++ b/ehdd/startup.sh
@@ -10,7 +10,7 @@ if [ -s /etc/mailinabox.conf ]; then
     systemctl start cron
     #systemctl start nsd
     systemctl link -f $(pwd)/conf/mailinabox.service
-    systemctl start mailinabox
     systemctl start fail2ban
+    systemctl restart mailinabox
 fi
 
diff --git a/management/auth.py b/management/auth.py
index 3cb4432d..46768684 100644
--- a/management/auth.py
+++ b/management/auth.py
@@ -1,9 +1,10 @@
-import base64, os, os.path, hmac
+import base64, os, os.path, hmac, json
 
 from flask import make_response
 
 import utils
 from mailconfig import validate_login, get_mail_password, get_mail_user_privileges
+from mfa import get_hash_mfa_state, validate_auth_mfa
 
 DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
 DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'
@@ -72,17 +73,19 @@ class KeyAuthService:
 		if username in (None, ""):
 			raise ValueError("Authorization header invalid.")
 		elif username == self.key:
-			# The user passed the API key which grants administrative privs.
+			# The user passed the master API key which grants administrative privs.
 			return (None, ["admin"])
 		else:
-			# The user is trying to log in with a username and user-specific
-			# API key or password. Raises or returns privs.
-			return (username, self.get_user_credentials(username, password, env))
+			# The user is trying to log in with a username and either a password
+			# (and possibly a MFA token) or a user-specific API key.
+			return (username, self.check_user_auth(username, password, request, env))
 
-	def get_user_credentials(self, email, pw, env):
-		# Validate a user's credentials. On success returns a list of
-		# privileges (e.g. [] or ['admin']). On failure raises a ValueError
-		# with a login error message. 
+	def check_user_auth(self, email, pw, request, env):
+		# Validate a user's login email address and password. If MFA is enabled,
+		# check the MFA token in the X-Auth-Token header.
+		#
+		# On success returns a list of privileges (e.g. [] or ['admin']). On login
+		# failure, raises a ValueError with a login error message.
 
 		# Sanity check.
 		if email == "" or pw == "":
@@ -100,6 +103,12 @@ class KeyAuthService:
 				# Login failed.
 				raise ValueError("Invalid password.")
 
+			# If MFA is enabled, check that MFA passes.
+			status, hints = validate_auth_mfa(email, request, env)
+			if not status:
+				# Login valid. Hints may have more info.
+				raise ValueError(",".join(hints))
+
 		# Get privileges for authorization. This call should never fail because by this
 		# point we know the email address is a valid user. But on error the call will
 		# return a tuple of an error message and an HTTP status code.
@@ -110,16 +119,27 @@ class KeyAuthService:
 		return privs
 
 	def create_user_key(self, email, env):
-		# Store an HMAC with the client. The hashed message of the HMAC will be the user's
-		# email address & hashed password and the key will be the master API key. The user of
-		# course has their own email address and password. We assume they do not have the master
-		# API key (unless they are trusted anyway). The HMAC proves that they authenticated
-		# with us in some other way to get the HMAC. Including the password means that when
-		# a user's password is reset, the HMAC changes and they will correctly need to log
-		# in to the control panel again. This method raises a ValueError if the user does
-		# not exist, due to get_mail_password.
+		# Create a user API key, which is a shared secret that we can re-generate from
+		# static information in our database. The shared secret contains the user's
+		# email address, current hashed password, and current MFA state, so that the
+		# key becomes invalid if any of that information changes.
+		#
+		# Use an HMAC to generate the API key using our master API key as a key,
+		# which also means that the API key becomes invalid when our master API key
+		# changes --- i.e. when this process is restarted.
+		#
+		# Raises ValueError via get_mail_password if the user doesn't exist.
+
+		# Construct the HMAC message from the user's email address and current password.
 		msg = b"AUTH:" + email.encode("utf8") + b" " + ";".join(get_mail_password(email, env)).encode("utf8")
-		return hmac.new(self.key.encode('ascii'), msg, digestmod="sha256").hexdigest()
+
+		# Add to the message the current MFA state, which is a list of MFA information.
+		# Turn it into a string stably.
+		msg += b" " + json.dumps(get_hash_mfa_state(email, env), sort_keys=True).encode("utf8")
+
+		# Make the HMAC.
+		hash_key = self.key.encode('ascii')
+		return hmac.new(hash_key, msg, digestmod="sha256").hexdigest()
 
 	def _generate_key(self):
 		raw_key = os.urandom(32)
diff --git a/management/backend.py b/management/backend.py
index 363fe491..05edd73c 100644
--- a/management/backend.py
+++ b/management/backend.py
@@ -192,7 +192,7 @@ class LdapConnection(ldap3.Connection):
 		#         have values for each attribute in `attrs_to_update`
 		#   attrs_to_update: an array of attribute names to update
 		#   objectClasses: a list of object classes for a new entry
-		#   values: a dict of attributes and values for a new entry
+		#   values: a dict of attributes and values for a new or modified entry
 		if existing_record:
 			# modify existing
 			changes = {}
diff --git a/management/cli.py b/management/cli.py
new file mode 100755
index 00000000..1b91b003
--- /dev/null
+++ b/management/cli.py
@@ -0,0 +1,150 @@
+#!/usr/bin/python3
+#
+# This is a command-line script for calling management APIs
+# on the Mail-in-a-Box control panel backend. The script
+# reads /var/lib/mailinabox/api.key for the backend's
+# root API key. This file is readable only by root, so this
+# tool can only be used as root.
+
+import sys, getpass, urllib.request, urllib.error, json, re, csv
+
+def mgmt(cmd, data=None, is_json=False):
+	# The base URL for the management daemon. (Listens on IPv4 only.)
+	mgmt_uri = 'http://127.0.0.1:10222'
+
+	setup_key_auth(mgmt_uri)
+
+	req = urllib.request.Request(mgmt_uri + cmd, urllib.parse.urlencode(data).encode("utf8") if data else None)
+	try:
+		response = urllib.request.urlopen(req)
+	except urllib.error.HTTPError as e:
+		if e.code == 401:
+			try:
+				print(e.read().decode("utf8"))
+			except:
+				pass
+			print("The management daemon refused access. The API key file may be out of sync. Try 'service mailinabox restart'.", file=sys.stderr)
+		elif hasattr(e, 'read'):
+			print(e.read().decode('utf8'), file=sys.stderr)
+		else:
+			print(e, file=sys.stderr)
+		sys.exit(1)
+	resp = response.read().decode('utf8')
+	if is_json: resp = json.loads(resp)
+	return resp
+
+def read_password():
+    while True:
+        first = getpass.getpass('password: ')
+        if len(first) < 8:
+            print("Passwords must be at least eight characters.")
+            continue
+        second = getpass.getpass(' (again): ')
+        if first != second:
+            print("Passwords not the same. Try again.")
+            continue
+        break
+    return first
+
+def setup_key_auth(mgmt_uri):
+	key = open('/var/lib/mailinabox/api.key').read().strip()
+
+	auth_handler = urllib.request.HTTPBasicAuthHandler()
+	auth_handler.add_password(
+		realm='Mail-in-a-Box Management Server',
+		uri=mgmt_uri,
+		user=key,
+		passwd='')
+	opener = urllib.request.build_opener(auth_handler)
+	urllib.request.install_opener(opener)
+
+if len(sys.argv) < 2:
+	print("""Usage:
+  {cli} user                                     (lists users)
+  {cli} user add user@domain.com [password]
+  {cli} user password user@domain.com [password]
+  {cli} user remove user@domain.com
+  {cli} user make-admin user@domain.com
+  {cli} user remove-admin user@domain.com
+  {cli} user admins                              (lists admins)
+  {cli} user mfa show user@domain.com            (shows MFA devices for user, if any)
+  {cli} user mfa disable user@domain.com [id]    (disables MFA for user)
+  {cli} alias                                    (lists aliases)
+  {cli} alias add incoming.name@domain.com sent.to@other.domain.com
+  {cli} alias add incoming.name@domain.com 'sent.to@other.domain.com, multiple.people@other.domain.com'
+  {cli} alias remove incoming.name@domain.com
+
+Removing a mail user does not delete their mail folders on disk. It only prevents IMAP/SMTP login.
+""".format(
+	cli="management/cli.py"
+		))
+
+elif sys.argv[1] == "user" and len(sys.argv) == 2:
+	# Dump a list of users, one per line. Mark admins with an asterisk.
+	users = mgmt("/mail/users?format=json", is_json=True)
+	for domain in users:
+		for user in domain["users"]:
+			if user['status'] == 'inactive': continue
+			print(user['email'], end='')
+			if "admin" in user['privileges']:
+				print("*", end='')
+			print()
+
+elif sys.argv[1] == "user" and sys.argv[2] in ("add", "password"):
+	if len(sys.argv) < 5:
+		if len(sys.argv) < 4:
+			email = input("email: ")
+		else:
+			email = sys.argv[3]
+		pw = read_password()
+	else:
+		email, pw = sys.argv[3:5]
+
+	if sys.argv[2] == "add":
+		print(mgmt("/mail/users/add", { "email": email, "password": pw }))
+	elif sys.argv[2] == "password":
+		print(mgmt("/mail/users/password", { "email": email, "password": pw }))
+
+elif sys.argv[1] == "user" and sys.argv[2] == "remove" and len(sys.argv) == 4:
+	print(mgmt("/mail/users/remove", { "email": sys.argv[3] }))
+
+elif sys.argv[1] == "user" and sys.argv[2] in ("make-admin", "remove-admin") and len(sys.argv) == 4:
+	if sys.argv[2] == "make-admin":
+		action = "add"
+	else:
+		action = "remove"
+	print(mgmt("/mail/users/privileges/" + action, { "email": sys.argv[3], "privilege": "admin" }))
+
+elif sys.argv[1] == "user" and sys.argv[2] == "admins":
+	# Dump a list of admin users.
+	users = mgmt("/mail/users?format=json", is_json=True)
+	for domain in users:
+		for user in domain["users"]:
+			if "admin" in user['privileges']:
+				print(user['email'])
+
+elif sys.argv[1] == "user" and len(sys.argv) == 5 and sys.argv[2:4] == ["mfa", "show"]:
+	# Show MFA status for a user.
+	status = mgmt("/mfa/status", { "user": sys.argv[4] }, is_json=True)
+	W = csv.writer(sys.stdout)
+	W.writerow(["id", "type", "label"])
+	for mfa in status["enabled_mfa"]:
+		W.writerow([mfa["id"], mfa["type"], mfa["label"]])
+
+elif sys.argv[1] == "user" and len(sys.argv) in (5, 6) and sys.argv[2:4] == ["mfa", "disable"]:
+	# Disable MFA (all or a particular device) for a user.
+	print(mgmt("/mfa/disable", { "user": sys.argv[4], "mfa-id": sys.argv[5] if len(sys.argv) == 6 else None }))
+
+elif sys.argv[1] == "alias" and len(sys.argv) == 2:
+	print(mgmt("/mail/aliases"))
+
+elif sys.argv[1] == "alias" and sys.argv[2] == "add" and len(sys.argv) == 5:
+	print(mgmt("/mail/aliases/add", { "address": sys.argv[3], "forwards_to": sys.argv[4] }))
+
+elif sys.argv[1] == "alias" and sys.argv[2] == "remove" and len(sys.argv) == 4:
+	print(mgmt("/mail/aliases/remove", { "address": sys.argv[3] }))
+
+else:
+	print("Invalid command-line arguments.")
+	sys.exit(1)
+
diff --git a/management/daemon.py b/management/daemon.py
index 46c84778..827b7daa 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -1,14 +1,16 @@
 import os, os.path, re, json, time
-import subprocess
+import multiprocessing.pool, subprocess
 
 from functools import wraps
 
 from flask import Flask, request, render_template, abort, Response, send_from_directory, make_response
 
-import auth, utils, multiprocessing.pool
+import auth, utils
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, set_mail_display_name, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
+from mfa import get_public_mfa_state, enable_mfa, disable_mfa
+import mfa_totp
 
 env = utils.load_environment()
 
@@ -35,23 +37,31 @@ app = Flask(__name__, template_folder=os.path.abspath(os.path.join(os.path.dirna
 def authorized_personnel_only(viewfunc):
 	@wraps(viewfunc)
 	def newview(*args, **kwargs):
-		# Authenticate the passed credentials, which is either the API key or a username:password pair.
+		# Authenticate the passed credentials, which is either the API key or a username:password pair
+		# and an optional X-Auth-Token token.
 		error = None
+		privs = []
+
 		try:
 			email, privs = auth_service.authenticate(request, env)
 		except ValueError as e:
-			# Authentication failed.
-			privs = []
-			error = "Incorrect username or password"
-
 			# Write a line in the log recording the failed login
 			log_failed_login(request)
 
+			# Authentication failed.
+			error = str(e)
+
 		# Authorized to access an API view?
 		if "admin" in privs:
+			# Store the email address of the logged in user so it can be accessed
+			# from the API methods that affect the calling user.
+			request.user_email = email
+			request.user_privs = privs
+
 			# Call view func.
 			return viewfunc(*args, **kwargs)
-		elif not error:
+
+		if not error:
 			error = "You are not an administrator."
 
 		# Not authorized. Return a 401 (send auth) and a prompt to authorize by default.
@@ -83,8 +93,8 @@ def authorized_personnel_only(viewfunc):
 def unauthorized(error):
 	return auth_service.make_unauthorized_response()
 
-def json_response(data):
-	return Response(json.dumps(data, indent=2, sort_keys=True)+'\n', status=200, mimetype='application/json')
+def json_response(data, status=200):
+	return Response(json.dumps(data, indent=2, sort_keys=True)+'\n', status=status, mimetype='application/json')
 
 ###################################
 
@@ -119,12 +129,17 @@ def me():
 	try:
 		email, privs = auth_service.authenticate(request, env)
 	except ValueError as e:
-		# Log the failed login
-		log_failed_login(request)
-
-		return json_response({
-			"status": "invalid",
-			"reason": "Incorrect username or password",
+		if "missing-totp-token" in str(e):
+			return json_response({
+				"status": "missing-totp-token",
+				"reason": str(e),
+			})
+		else:
+			# Log the failed login
+			log_failed_login(request)
+			return json_response({
+				"status": "invalid",
+				"reason": str(e),
 			})
 
 	resp = {
@@ -343,7 +358,7 @@ def ssl_get_status():
 
 	# What domains can we provision certificates for? What unexpected problems do we have?
 	provision, cant_provision = get_certificates_to_provision(env, show_valid_certs=False)
-	
+
 	# What's the current status of TLS certificates on all of the domain?
 	domains_status = get_web_domains_info(env)
 	domains_status = [
@@ -392,6 +407,60 @@ def ssl_provision_certs():
 	requests = provision_certificates(env, limit_domains=None)
 	return json_response({ "requests": requests })
 
+# multi-factor auth
+
+@app.route('/mfa/status', methods=['POST'])
+@authorized_personnel_only
+def mfa_get_status():
+	# Anyone accessing this route is an admin, and we permit them to
+	# see the MFA status for any user if they submit a 'user' form
+	# field. But we don't include provisioning info since a user can
+	# only provision for themselves.
+	email = request.form.get('user', request.user_email) # user field if given, otherwise the user making the request
+	try:
+		resp = {
+			"enabled_mfa": get_public_mfa_state(email, env)
+		}
+		if email == request.user_email:
+			resp.update({
+				"new_mfa": {
+					"totp": mfa_totp.provision(email, env)
+				}
+			})
+	except ValueError as e:
+		return (str(e), 400)
+	return json_response(resp)
+
+@app.route('/mfa/totp/enable', methods=['POST'])
+@authorized_personnel_only
+def totp_post_enable():
+	secret = request.form.get('secret')
+	token = request.form.get('token')
+	label = request.form.get('label')
+	if type(token) != str:
+		return ("Bad Input", 400)
+	try:
+		mfa_totp.validate_secret(secret)
+		enable_mfa(request.user_email, "totp", secret, token, label, env)
+	except ValueError as e:
+		return (str(e), 400)
+	return "OK"
+
+@app.route('/mfa/disable', methods=['POST'])
+@authorized_personnel_only
+def totp_post_disable():
+	# Anyone accessing this route is an admin, and we permit them to
+	# disable the MFA status for any user if they submit a 'user' form
+	# field.
+	email = request.form.get('user', request.user_email) # user field if given, otherwise the user making the request
+	try:
+		result = disable_mfa(email, request.form.get('mfa-id') or None, env) # convert empty string to None
+	except ValueError as e:
+		return (str(e), 400)
+	if result: # success
+		return "OK"
+	else: # error
+		return ("Invalid user or MFA id.", 400)
 
 # WEB
 
diff --git a/management/mailconfig.py b/management/mailconfig.py
index 078ec809..df32acac 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -1190,7 +1190,6 @@ def validate_password(pw):
 	if len(pw) < 8:
 		raise ValueError("Passwords must be at least eight characters.")
 
-
 if __name__ == "__main__":
 	import sys
 	if len(sys.argv) > 2 and sys.argv[1] == "validate-email":
diff --git a/management/mfa.py b/management/mfa.py
new file mode 100644
index 00000000..9c3a6636
--- /dev/null
+++ b/management/mfa.py
@@ -0,0 +1,144 @@
+# -*- indent-tabs-mode: t; tab-width: 4; python-indent-offset: 4; -*-
+
+from mailconfig import open_database, find_mail_user
+import mfa_totp
+
+def strip_order_prefix(rec, attributes):
+	'''strip the order prefix from X-ORDERED ldap values for the
+	list of attributes specified
+
+    `rec` is modified in-place
+
+	the server returns X-ORDERED values ordered so the values will be
+	sorted in the record making the prefix superfluous.
+
+	For example, the function will change:
+       totpSecret: {0}secret1 
+       totpSecret: {1}secret2 
+    to:
+	   totpSecret: secret1
+       totpSecret: secret2
+
+	TODO: move to backend.py and/or integrate with LdapConnection.search()
+	'''
+	for attr in attributes:
+		# ignore attribute that doesn't exist
+		if not attr in rec: continue		
+		# ..as well as None values and empty list
+		if not rec[attr]: continue
+		
+		newvals = []
+		for val in rec[attr]:
+			i = val.find('}')
+			newvals.append(val[i+1:])
+		rec[attr] = newvals
+		
+def get_mfa_user(email, env, conn=None):
+	'''get the ldap record for the user along with all MFA-related
+	attributes
+
+	'''
+	user = find_mail_user(env, email, ['objectClass','totpSecret','totpMruToken','totpMruTokenTime','totpLabel'], conn)
+	if not user:
+		raise ValueError("User does not exist.")	
+	strip_order_prefix(user, ['totpSecret','totpMruToken','totpMruTokenTime','totpLabel'])
+	return user
+
+
+
+def get_mfa_state(email, env):
+	'''return details about what MFA schemes are enabled for a user
+	ordered by the priority that the scheme will be tried, with index
+	zero being the first.
+
+	'''
+	user = get_mfa_user(email, env)
+	state_list = []
+	state_list += mfa_totp.get_state(user)
+	return state_list
+
+def get_public_mfa_state(email, env):
+	'''return details about what MFA schemes are enabled for a user
+	ordered by the priority that the scheme will be tried, with index
+	zero being the first. No secrets are returned by this function -
+	only those details that are needed by the end user to identify a
+	particular MFA by label and the id of each so it may be disabled.
+
+	'''
+	mfa_state = get_mfa_state(email, env)
+	return [
+		{ "id": s["id"], "type": s["type"], "label": s["label"] }
+		for s in mfa_state
+	]
+
+def get_hash_mfa_state(email, env):
+	'''return details about what MFA schemes are enabled for a user
+	ordered by the priority that the scheme will be tried, with index
+	zero being the first. This function may return secrets. It's
+	intended use is for the result to be included as part of the input
+	to a hashing function to generate a user api key (see
+	auth.py:create_user_key)
+
+	'''
+	mfa_state = get_mfa_state(email, env)
+	return [
+		{ "id": s["id"], "type": s["type"], "secret": s["secret"] }
+		for s in mfa_state
+	]
+
+def enable_mfa(email, type, secret, token, label, env):
+	'''enable MFA using the scheme specified in `type`. users may have
+multiple mfa schemes enabled of the same type.
+
+	'''
+	user = get_mfa_user(email, env)
+	if type == "totp":
+		mfa_totp.enable(user, secret, token, label, env)
+	else:
+		raise ValueError("Invalid MFA type.")
+
+def disable_mfa(email, mfa_id, env):
+	'''disable a specific MFA scheme. `mfa_id` identifies the specific
+	entry and is available in the `id` field of an item in the list
+	obtained from get_mfa_state()
+
+	'''
+	user = get_mfa_user(email, env)
+	if mfa_id is None:
+		# Disable all MFA for a user.
+		return mfa_totp.disable(user, None, env)
+	elif mfa_id.startswith("totp:"):
+		# Disable a particular MFA mode for a user.
+		return mfa_totp.disable(user, mfa_id, env)
+	else:
+		return False
+			
+def validate_auth_mfa(email, request, env):
+	# Validates that a login request satisfies any MFA modes
+	# that have been enabled for the user's account. Returns
+	# a tuple (status, [hints]). status is True for a successful
+	# MFA login, False for a missing token. If status is False,
+	# hints is an array of codes that indicate what the user
+	# can try. Possible codes are:
+	# "missing-totp-token"
+	# "invalid-totp-token"
+
+	mfa_state = get_mfa_state(email, env)
+
+	# If no MFA modes are added, return True.
+	if len(mfa_state) == 0:
+		return (True, [])
+
+	# Try the enabled MFA modes.
+	hints = set()
+	for mfa_mode in mfa_state:
+		if mfa_mode["type"] == "totp":
+			user = get_mfa_user(email, env)
+			result, hint = mfa_totp.validate_auth(user, mfa_mode, request, True, env)
+			if not result:
+				hints.add(hint)
+			else:
+				return (True, [])
+
+	# On a failed login, indicate failure and any hints for what the user can do instead.
+	return (False, list(hints))
diff --git a/management/mfa_totp.py b/management/mfa_totp.py
new file mode 100644
index 00000000..3af8f9a6
--- /dev/null
+++ b/management/mfa_totp.py
@@ -0,0 +1,178 @@
+# -*- indent-tabs-mode: t; tab-width: 4; python-indent-offset: 4; -*-
+import base64
+import hmac
+import pyotp
+import qrcode
+import io
+import os
+import time
+
+from mailconfig import open_database
+
+def id_from_index(user, index):
+	'''return a unique id for the user's totp entry. the index itself
+	should be avoided to ensure a change in the order does not cause
+	an unexpected change.
+
+	'''
+	return 'totp:' + user['totpMruTokenTime'][index]
+
+def index_from_id(user, id):
+	'''return the index of the corresponding id from the list of totp
+	entries for a user, or -1 if not found
+
+	'''
+	for index in range(0, len(user['totpSecret'])):
+		xid = id_from_index(user, index)
+		if xid == id:
+			return index
+	return -1
+
+def time_ns():
+	if "time_ns" in dir(time):
+		return time.time_ns()
+	else:
+		return int(time.time() * 1000000000)
+	
+def get_state(user):
+	state_list = []
+
+	# totp
+	for idx in range(0, len(user['totpSecret'])):
+		state_list.append({
+			'id': id_from_index(user, idx),
+			'type': 'totp',
+			'secret': user['totpSecret'][idx],
+			'mru_token': user['totpMruToken'][idx],
+			'label': user['totpLabel'][idx]
+		})
+	return state_list
+
+def enable(user, secret, token, label, env):
+	validate_secret(secret)
+	# Sanity check with the provide current token.
+	totp = pyotp.TOTP(secret)
+	if not totp.verify(token, valid_window=1):
+		raise ValueError("Invalid token.")
+
+	mods = {
+		"totpSecret": user['totpSecret'].copy() + [secret],
+		"totpMruToken": user['totpMruToken'].copy() + [''],
+		"totpMruTokenTime": user['totpMruTokenTime'].copy() + [time_ns()],
+		"totpLabel": user['totpLabel'].copy() + [label or '']
+	}
+	if 'totpUser' not in user['objectClass']:
+		 mods['objectClass'] = user['objectClass'].copy() + ['totpUser']
+	
+	conn = open_database(env)
+	conn.modify_record(user, mods)
+
+def set_mru_token(user, id, token, env):
+	# return quietly if the user is not configured for TOTP
+	if 'totpUser' not in user['objectClass']: return
+
+	# ensure the id is valid
+	idx = index_from_id(user, id)
+	if idx<0:
+		raise ValueError('MFA/totp mru index is out of range')
+
+	# store the token
+	mods = {
+		"totpMruToken": user['totpMruToken'].copy(),
+		"totpMruTokenTime": user['totpMruTokenTime'].copy()
+	}
+	mods['totpMruToken'][idx] = token
+	mods['totpMruTokenTime'][idx] = time_ns()
+	conn = open_database(env)
+	conn.modify_record(user, mods)
+
+
+def disable(user, id, env):
+	# Disable a particular MFA mode for a user.
+	if id is None:
+		# Disable all totp
+		mods = {
+			"objectClass": user["objectClass"].copy(),
+			"totpMruToken": None,
+			"totpMruTokenTime": None,
+			"totpSecret": None,
+			"totpLabel": None
+		}
+		mods["objectClass"].remove("totpUser")	
+		open_database(env).modify_record(user, mods)
+		return True
+
+	else:
+		# Disable totp at the index specified
+		idx = index_from_id(user, id)	
+		if idx<0 or idx>=len(user['totpSecret']):
+			return False
+		mods = {
+			"objectClass": user["objectClass"].copy(),
+			"totpMruToken": user["totpMruToken"].copy(),
+			"totpMruTokenTime": user["totpMruTokenTime"].copy(),
+			"totpSecret": user["totpSecret"].copy(),
+			"totpLabel": user["totpLabel"].copy()
+		}
+		mods["totpMruToken"].pop(idx)
+		mods["totpMruTokenTime"].pop(idx)
+		mods["totpSecret"].pop(idx)
+		mods["totpLabel"].pop(idx)
+		if len(mods["totpSecret"])==0:
+			mods['objectClass'].remove('totpUser')
+		open_database(env).modify_record(user, mods)
+		return True
+
+
+def validate_secret(secret):
+	if type(secret) != str or secret.strip() == "":
+		raise ValueError("No secret provided.")
+	if len(secret) != 32:
+		raise ValueError("Secret should be a 32 characters base32 string")
+
+def provision(email, env):
+	# Make a new secret.
+	secret = base64.b32encode(os.urandom(20)).decode('utf-8')
+	validate_secret(secret) # sanity check
+
+	# Make a URI that we encode within a QR code.
+	uri = pyotp.TOTP(secret).provisioning_uri(
+		name=email,
+		issuer_name=env["PRIMARY_HOSTNAME"] + " Mail-in-a-Box Control Panel"
+	)
+
+	# Generate a QR code as a base64-encode PNG image.
+	qr = qrcode.make(uri)
+	byte_arr = io.BytesIO()
+	qr.save(byte_arr, format='PNG')
+	png_b64 = base64.b64encode(byte_arr.getvalue()).decode('utf-8')
+
+	return {
+		"type": "totp",
+		"secret": secret,
+		"qr_code_base64": png_b64
+	}
+
+
+def validate_auth(user, state, request, save_mru, env):
+	# Check that a token is present in the X-Auth-Token header.
+	# If not, give a hint that one can be supplied.
+	token = request.headers.get('x-auth-token')
+	if not token:
+		return (False, "missing-totp-token")
+
+	# Check for a replay attack.
+	if hmac.compare_digest(token, state['mru_token'] or ""):
+		# If the token fails, skip this MFA mode.
+		return (False, "invalid-totp-token")
+
+	# Check the token.
+	totp = pyotp.TOTP(state["secret"])
+	if not totp.verify(token, valid_window=1):
+		return (False, "invalid-totp-token")
+
+	# On success, record the token to prevent a replay attack.
+	if save_mru:
+		set_mru_token(user, state['id'], token, env)
+
+	return (True, None)
diff --git a/management/templates/index.html b/management/templates/index.html
index 2c0d5a9a..12f6ad8e 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -97,11 +97,14 @@
               </ul>
             </li>
             <li class="dropdown">
-              <a href="#" class="dropdown-toggle" data-toggle="dropdown">Mail <b class="caret"></b></a>
+              <a href="#" class="dropdown-toggle" data-toggle="dropdown">Mail &amp; Users <b class="caret"></b></a>
               <ul class="dropdown-menu">
                 <li><a href="#mail-guide" onclick="return show_panel(this);">Instructions</a></li>
                 <li><a href="#users" onclick="return show_panel(this);">Users</a></li>
                 <li><a href="#aliases" onclick="return show_panel(this);">Aliases</a></li>
+                <li class="divider"></li>
+                <li class="dropdown-header">Your Account</li>
+                <li><a href="#mfa" onclick="return show_panel(this);">Two-Factor Authentication</a></li>
               </ul>
             </li>
             <li><a href="#sync_guide" onclick="return show_panel(this);">Contacts/Calendar</a></li>
@@ -131,6 +134,10 @@
       {% include "custom-dns.html" %}
       </div>
 
+      <div id="panel_mfa" class="admin_panel">
+      {% include "mfa.html" %}
+      </div>
+
       <div id="panel_login" class="admin_panel">
       {% include "login.html" %}
       </div>
@@ -292,7 +299,7 @@ function ajax_with_indicator(options) {
 }
 
 var api_credentials = ["", ""];
-function api(url, method, data, callback, callback_error) {
+function api(url, method, data, callback, callback_error, headers) {
   // from http://www.webtoolkit.info/javascript-base64.html
   function base64encode(input) {
     _keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
@@ -330,7 +337,7 @@ function api(url, method, data, callback, callback_error) {
     method: method,
     cache: false,
     data: data,
-
+    headers: headers,
     // the custom DNS api sends raw POST/PUT bodies --- prevent URL-encoding
     processData: typeof data != "string",
     mimeType: typeof data == "string" ? "text/plain; charset=ascii" : null,
@@ -358,6 +365,16 @@ function api(url, method, data, callback, callback_error) {
 
 var current_panel = null;
 var switch_back_to_panel = null;
+
+function do_logout() {
+  api_credentials = ["", ""];
+  if (typeof localStorage != 'undefined')
+    localStorage.removeItem("miab-cp-credentials");
+  if (typeof sessionStorage != 'undefined')
+    sessionStorage.removeItem("miab-cp-credentials");
+  show_panel('login');
+}
+
 function show_panel(panelid) {
   if (panelid.getAttribute)
     // we might be passed an HTMLElement <a>.
diff --git a/management/templates/login.html b/management/templates/login.html
index b6e74df6..4c432aae 100644
--- a/management/templates/login.html
+++ b/management/templates/login.html
@@ -1,4 +1,29 @@
-<h1 style="margin: 1em; text-align: center">{{hostname}}</h1>
+<style>
+  .title {
+    margin: 1em;
+    text-align: center;
+  }
+
+  .subtitle {
+    margin: 2em;
+    text-align: center;
+  }
+
+  .login {
+    margin: 0 auto;
+    max-width: 32em;
+  }
+
+  .login #loginOtp {
+    display: none;
+  }
+
+  #loginForm.is-twofactor #loginOtp {
+    display: block
+  }
+</style>
+
+<h1 class="title">{{hostname}}</h1>
 
 {% if no_users_exist or no_admins_exist %}
 <div class="row">
@@ -7,23 +32,23 @@
   <p class="text-danger">There are no users on this system! To make an administrative user,
   log into this machine using SSH (like when you first set it up) and run:</p>
   <pre>cd mailinabox
-sudo tools/mail.py user add me@{{hostname}}
-sudo tools/mail.py user make-admin me@{{hostname}}</pre>
+sudo management/cli.py user add me@{{hostname}}
+sudo management/cli.py user make-admin me@{{hostname}}</pre>
   {% else %}
   <p class="text-danger">There are no administrative users on this system! To make an administrative user,
   log into this machine using SSH (like when you first set it up) and run:</p>
   <pre>cd mailinabox
-sudo tools/mail.py user make-admin me@{{hostname}}</pre>
+sudo management/cli.py user make-admin me@{{hostname}}</pre>
   {% endif %}
   <hr>
 </div>
 </div>
 {% endif %}
 
-<p style="margin: 2em; text-align: center;">Log in here for your Mail-in-a-Box control panel.</p>
+<p class="subtitle">Log in here for your Mail-in-a-Box control panel.</p>
 
-<div style="margin: 0 auto; max-width: 32em;">
-  <form class="form-horizontal" role="form" onsubmit="do_login(); return false;" method="get">
+<div class="login">
+  <form id="loginForm" class="form-horizontal" role="form" onsubmit="do_login(); return false;" method="get">
     <div class="form-group">
       <label for="inputEmail3" class="col-sm-3 control-label">Email</label>
       <div class="col-sm-9">
@@ -36,6 +61,13 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
         <input name="password" type="password" class="form-control" id="loginPassword" placeholder="Password">
       </div>
     </div>
+    <div class="form-group" id="loginOtp">
+      <label for="loginOtpInput" class="col-sm-3 control-label">Code</label>
+      <div class="col-sm-9">
+          <input type="text" class="form-control" id="loginOtpInput" placeholder="6-digit code">
+          <div class="help-block" style="margin-top: 5px; font-size: 90%">Enter the six-digit code generated by your two factor authentication app.</div>
+      </div>
+    </div>
     <div class="form-group">
       <div class="col-sm-offset-3 col-sm-9">
         <div class="checkbox">
@@ -53,15 +85,15 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
   </form>
 </div>
 
-
 <script>
 function do_login() {
   if ($('#loginEmail').val() == "") {
     show_modal_error("Login Failed", "Enter your email address.", function() {
-	$('#loginEmail').focus();
+      $('#loginEmail').focus();
     });
     return false;
   }
+
   if ($('#loginPassword').val() == "") {
     show_modal_error("Login Failed", "Enter your email password.", function() {
         $('#loginPassword').focus();
@@ -75,17 +107,29 @@ function do_login() {
   api(
   "/me",
   "GET",
-  { },
-  function(response){
+  {},
+  function(response) {
     // This API call always succeeds. It returns a JSON object indicating
     // whether the request was authenticated or not.
-    if (response.status != "ok") {
-      // Show why the login failed.
-      show_modal_error("Login Failed", response.reason)
+    if (response.status != 'ok') {
+      if (response.status === 'missing-totp-token' || (response.status === 'invalid' && response.reason == 'invalid-totp-token')) {
+        $('#loginForm').addClass('is-twofactor');
+        if (response.reason === "invalid-totp-token") {
+          show_modal_error("Login Failed", "Incorrect two factor authentication token.");
+        } else {
+          setTimeout(() => {
+              $('#loginOtpInput').focus();
+          });
+        }
+      } else {
+        $('#loginForm').removeClass('is-twofactor');
 
-      // Reset any saved credentials.
-      do_logout();
+        // Show why the login failed.
+        show_modal_error("Login Failed", response.reason)
 
+        // Reset any saved credentials.
+        do_logout();
+      }
     } else if (!("api_key" in response)) {
       // Login succeeded but user might not be authorized!
       show_modal_error("Login Failed", "You are not an administrator on this system.")
@@ -102,6 +146,8 @@ function do_login() {
       // Try to wipe the username/password information.
       $('#loginEmail').val('');
       $('#loginPassword').val('');
+      $('#loginOtpInput').val('');
+      $('#loginForm').removeClass('is-twofactor');
 
       // Remember the credentials.
       if (typeof localStorage != 'undefined' && typeof sessionStorage != 'undefined') {
@@ -119,19 +165,16 @@ function do_login() {
       // which confuses the loading indicator.
       setTimeout(function() { show_panel(!switch_back_to_panel || switch_back_to_panel == "login" ? 'system_status' : switch_back_to_panel) }, 300);
     }
-  })
-}
-
-function do_logout() {
-  api_credentials = ["", ""];
-  if (typeof localStorage != 'undefined')
-    localStorage.removeItem("miab-cp-credentials");
-  if (typeof sessionStorage != 'undefined')
-    sessionStorage.removeItem("miab-cp-credentials");
-  show_panel('login');
+  },
+  undefined,
+  {
+    'x-auth-token': $('#loginOtpInput').val()
+  });
 }
 
 function show_login() {
+  $('#loginForm').removeClass('is-twofactor');
+  $('#loginOtpInput').val('');
   $('#loginEmail,#loginPassword').each(function() {
     var input = $(this);
     if (!$.trim(input.val())) {
diff --git a/management/templates/mfa.html b/management/templates/mfa.html
new file mode 100644
index 00000000..f45b263f
--- /dev/null
+++ b/management/templates/mfa.html
@@ -0,0 +1,242 @@
+<style>
+    .twofactor #totp-setup,
+    .twofactor #disable-2fa,
+    .twofactor #output-2fa {
+        display: none;
+    }
+
+    .twofactor.loaded .loading-indicator {
+        display: none;
+    }
+
+    .twofactor.disabled #disable-2fa,
+    .twofactor.enabled #totp-setup {
+        display: none;
+    }
+
+    .twofactor.disabled #totp-setup,
+    .twofactor.enabled #disable-2fa {
+        display: block;
+    }
+
+    .twofactor #totp-setup-qr img {
+        display: block;
+        width: 256px;
+        max-width: 100%;
+        height: auto;
+    }
+
+    .twofactor #output-2fa.visible {
+        display: block;
+    }
+</style>
+
+<h2>Two-Factor Authentication</h2>
+
+<p>When two-factor authentication is enabled, you will be prompted to enter a six digit code from an
+authenticator app (usually on your phone) when you log into this control panel.</p>
+
+<div class="panel panel-danger">
+<div class="panel-heading">
+Enabling two-factor authentication does not protect access to your email
+</div>
+<div class="panel-body">
+Enabling two-factor authentication on this page only limits access to this control panel. Remember that most websites allow you to
+reset your password by checking your email, so anyone with access to your email can typically take over
+your other accounts. Additionally, if your email address or any alias that forwards to your email
+address is a typical domain control validation address (e.g admin@, administrator@, postmaster@, hostmaster@,
+webmaster@, abuse@), extra care should be taken to protect the account. <strong>Always use a strong password,
+and ensure every administrator account for this control panel does the same.</strong>
+</div>
+</div>
+
+<div class="twofactor">
+    <div class="loading-indicator">Loading...</div>
+
+    <form id="totp-setup">
+        <h3>Setup Instructions</h3>
+
+        <div class="form-group">
+            <p>1. Install <a href="https://freeotp.github.io/">FreeOTP</a> or <a href="https://www.pcworld.com/article/3225913/what-is-two-factor-authentication-and-which-2fa-apps-are-best.html">any
+            other two-factor authentication app</a> that supports TOTP.</p>
+        </div>
+
+        <div class="form-group">
+            <p style="margin-bottom: 0">2. Scan the QR code in the app or directly enter the secret into the app:</p>
+            <div id="totp-setup-qr"></div>
+        </div>
+
+        <div class="form-group">
+            <label for="otp-label" style="font-weight: normal">3. Optionally, give your device a label so that you can remember what device you set it up on:</label>
+            <input type="text" id="totp-setup-label" class="form-control" placeholder="my phone" />
+        </div>
+
+        <div class="form-group">
+            <label for="otp" style="font-weight: normal">4. Use the app to generate your first six-digit code and enter it here:</label>
+            <input type="text" id="totp-setup-token" class="form-control" placeholder="6-digit code" />
+        </div>
+
+        <input type="hidden" id="totp-setup-secret" />
+
+        <div class="form-group">
+            <p>When you click Enable Two-Factor Authentication, you will be logged out of the control panel and will have to log in
+            again, now using your two-factor authentication app.</p>
+            <button id="totp-setup-submit" disabled type="submit" class="btn">Enable Two-Factor Authentication</button>
+        </div>
+    </form>
+
+    <form id="disable-2fa">
+        <div class="form-group">
+            <p>Two-factor authentication is active for your account<span id="mfa-device-label"></span>.</p>
+            <p>You will have to log into the admin panel again after disabling two-factor authentication.</p>
+        </div>
+        <div class="form-group">
+            <button type="submit" class="btn btn-danger">Disable Two-Factor Authentication</button>
+        </div>
+    </form>
+
+    <div id="output-2fa" class="panel panel-danger">
+        <div class="panel-body"></div>
+    </div>
+</div>
+
+<script>
+    var el = {
+        disableForm: document.getElementById('disable-2fa'),
+        output: document.getElementById('output-2fa'),
+        totpSetupForm: document.getElementById('totp-setup'),
+        totpSetupToken: document.getElementById('totp-setup-token'),
+        totpSetupSecret: document.getElementById('totp-setup-secret'),
+        totpSetupLabel: document.getElementById('totp-setup-label'),
+        totpQr: document.getElementById('totp-setup-qr'),
+        totpSetupSubmit: document.querySelector('#totp-setup-submit'),
+        wrapper: document.querySelector('.twofactor')
+    }
+
+    function update_setup_disabled(evt) {
+        var val = evt.target.value.trim();
+
+        if (
+            typeof val !== 'string' ||
+            typeof el.totpSetupSecret.value !== 'string' ||
+            val.length !== 6 ||
+            el.totpSetupSecret.value.length !== 32 ||
+            !(/^\+?\d+$/.test(val))
+        ) {
+            el.totpSetupSubmit.setAttribute('disabled', '');
+        } else {
+            el.totpSetupSubmit.removeAttribute('disabled');
+        }
+    }
+
+    function render_totp_setup(provisioned_totp) {
+        var img = document.createElement('img');
+        img.src = "data:image/png;base64," + provisioned_totp.qr_code_base64;
+
+        var code = document.createElement('div');
+        code.innerHTML = `Secret: ${provisioned_totp.secret}`;
+
+        el.totpQr.appendChild(img);
+        el.totpQr.appendChild(code);
+
+        el.totpSetupToken.addEventListener('input', update_setup_disabled);
+        el.totpSetupForm.addEventListener('submit', do_enable_totp);
+
+        el.totpSetupSecret.setAttribute('value', provisioned_totp.secret);
+
+        el.wrapper.classList.add('disabled');
+    }
+
+    function render_disable(mfa) {
+        el.disableForm.addEventListener('submit', do_disable);
+        el.wrapper.classList.add('enabled');
+        if (mfa.label)
+          $("#mfa-device-label").text(" on device '" + mfa.label + "'");
+    }
+
+    function hide_error() {
+        el.output.querySelector('.panel-body').innerHTML = '';
+        el.output.classList.remove('visible');
+    }
+
+    function render_error(msg) {
+        el.output.querySelector('.panel-body').innerHTML = msg;
+        el.output.classList.add('visible');
+    }
+
+    function reset_view() {
+        el.wrapper.classList.remove('loaded', 'disabled', 'enabled');
+
+        el.disableForm.removeEventListener('submit', do_disable);
+
+        hide_error();
+
+        el.totpSetupForm.reset();
+        el.totpSetupForm.removeEventListener('submit', do_enable_totp);
+
+        el.totpSetupSecret.setAttribute('value', '');
+        el.totpSetupToken.removeEventListener('input', update_setup_disabled);
+
+        el.totpSetupSubmit.setAttribute('disabled', '');
+        el.totpQr.innerHTML = '';
+    }
+
+    function show_mfa() {
+        reset_view();
+
+        api(
+            '/mfa/status',
+            'POST',
+            {},
+            function(res) {
+                el.wrapper.classList.add('loaded');
+
+                var has_mfa = false;
+                res.enabled_mfa.forEach(function(mfa) {
+                    if (mfa.type == "totp") {
+                        render_disable(mfa);
+                        has_mfa = true;
+                    }
+                });
+
+                if (!has_mfa)
+                  render_totp_setup(res.new_mfa.totp);
+            }
+        );
+    }
+
+    function do_disable(evt) {
+        evt.preventDefault();
+        hide_error();
+
+        api(
+            '/mfa/disable',
+            'POST',
+            { type: 'totp' },
+            function() {
+                do_logout();
+            }
+        );
+
+        return false;
+    }
+
+    function do_enable_totp(evt) {
+        evt.preventDefault();
+        hide_error();
+
+        api(
+            '/mfa/totp/enable',
+            'POST',
+            {
+                token: $(el.totpSetupToken).val(),
+                secret: $(el.totpSetupSecret).val(),
+                label: $(el.totpSetupLabel).val()
+            },
+            function(res) { do_logout(); },
+            function(res) { render_error(res); }
+        );
+
+        return false;
+    }
+</script>
diff --git a/setup/firstuser.sh b/setup/firstuser.sh
index f6947695..e2d6531c 100644
--- a/setup/firstuser.sh
+++ b/setup/firstuser.sh
@@ -1,6 +1,6 @@
 # If there aren't any mail users yet, create one.
-if [ -z "`tools/mail.py user`" ]; then
-	# The outut of "tools/mail.py user" is a list of mail users. If there
+if [ -z "`management/cli.py user`" ]; then
+	# The outut of "management/cli.py user" is a list of mail users. If there
 	# aren't any yet, it'll be empty.
 
 	# If we didn't ask for an email address at the start, do so now.
@@ -47,11 +47,11 @@ if [ -z "`tools/mail.py user`" ]; then
 	fi
 
 	# Create the user's mail account. This will ask for a password if none was given above.
-	tools/mail.py user add $EMAIL_ADDR ${EMAIL_PW:-}
+	management/cli.py user add $EMAIL_ADDR ${EMAIL_PW:-}
 
 	# Make it an admin.
-	hide_output tools/mail.py user make-admin $EMAIL_ADDR
+	hide_output management/cli.py user make-admin $EMAIL_ADDR
 
 	# Create an alias to which we'll direct all automatically-created administrative aliases.
-	tools/mail.py alias add administrator@$PRIMARY_HOSTNAME $EMAIL_ADDR > /dev/null
+	management/cli.py alias add administrator@$PRIMARY_HOSTNAME $EMAIL_ADDR > /dev/null
 fi
diff --git a/setup/ldap.sh b/setup/ldap.sh
index 252c5cd8..f86a67a5 100755
--- a/setup/ldap.sh
+++ b/setup/ldap.sh
@@ -374,6 +374,20 @@ add_schemas() {
 		ldapadd -Q -Y EXTERNAL -H ldapi:/// -f "$ldif" >/dev/null
 		rm -f "$ldif"
 	fi
+
+	# apply the mfa-totp schema
+	# this adds the totpUser class to store the totp secret
+	local schema="mfa-totp.schema"
+	local cn="mfa-totp"
+	get_attribute "cn=schema,cn=config" "(&(cn={*}$cn)(objectClass=olcSchemaConfig))" "cn"
+	if [ -z "$ATTR_DN" ]; then
+		local ldif="/tmp/$cn.$$.ldif"
+		schema_to_ldif "$schema" "$ldif" "$cn"
+		say_verbose "Adding '$cn' schema"
+		[ $verbose -gt 1 ] && cat "$ldif"
+		ldapadd -Q -Y EXTERNAL -H ldapi:/// -f "$ldif" >/dev/null
+		rm -f "$ldif"
+	fi
 }
 
 
@@ -560,16 +574,18 @@ apply_access_control() {
 	# Permission restrictions:
 	#	service accounts (except management):
 	#	   can bind but not change passwords, including their own
-	#	   can read all attributes of all users but not userPassword
+	#	   can read all attributes of all users but not userPassword,
+	#         totpSecret, totpMruToken, totpMruTokenTime, or totpLabel
 	#	   can read config subtree (permitted-senders, domains)
 	#	   no access to services subtree, except their own dn
 	#	management service account:
-	#	   can read and change password and shadowLastChange
+	#	   can read and change password, shadowLastChange, and totpSecret
 	#	   all other service account permissions are the same
 	#	users:
 	#	   can bind and change their own password
 	#	   can read and change their own shadowLastChange
-	#	   can read attributess of all users except mailaccess
+	#      cannot read or modify totpSecret, totpMruToken, totpMruTokenTime, totpLabel
+	#	   can read attributess of other users except mailaccess, totpSecret, totpMruToken, totpMruTokenTime, totpLabel
 	#	   no access to config subtree
 	#	   no access to services subtree
 	#
@@ -591,6 +607,10 @@ olcAccess: to attrs=userPassword
   by self =wx
   by anonymous auth
   by * none
+olcAccess: to attrs=totpSecret,totpMruToken,totpMruTokenTime,totpLabel
+  by dn.exact="cn=management,${LDAP_SERVICES_BASE}" write
+  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
+  by * none
 olcAccess: to attrs=shadowLastChange
   by self write
   by dn.exact="cn=management,${LDAP_SERVICES_BASE}" write
diff --git a/setup/mail-users.sh b/setup/mail-users.sh
index 2a7e49f2..3d51abb4 100755
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@@ -17,7 +17,6 @@ source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 source ${STORAGE_ROOT}/ldap/miab_ldap.conf # user-data specific vars
 
-
 # ### User Authentication
 
 # Have Dovecot query our database, and not system users, for authentication.
diff --git a/setup/management.sh b/setup/management.sh
index 7449c29a..0e0079e4 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -50,6 +50,7 @@ hide_output $venv/bin/pip install --upgrade pip
 hide_output $venv/bin/pip install --upgrade \
 	rtyaml "email_validator>=1.0.0" "exclusiveprocess" \
 	flask dnspython python-dateutil \
+    qrcode[pil] pyotp \
 	"idna>=2.0.0" "cryptography==2.2.2" boto psutil postfix-mta-sts-resolver ldap3
 
 # CONFIGURATION
diff --git a/setup/migrate.py b/setup/migrate.py
index dae96799..43a0b30b 100755
--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -183,6 +183,14 @@ def migration_12(env):
             conn.close()
 
 def migration_13(env):
+	# Add the "mfa" table for configuring MFA for login to the control panel.
+	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
+	shell("check_call", ["sqlite3", db, "CREATE TABLE mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, label TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);"])
+
+###########################################################
+
+
+def migration_miabldap_1(env):
 	# This migration step moves users from sqlite3 to openldap
 
 	# users table:
@@ -207,7 +215,7 @@ def migration_13(env):
 	#   objectClass: mailGroup
 	#   mail: [source]
 	#   member: [user-dn]         # multi-valued
-
+	
 	print("Migrating users and aliases from sqlite to ldap")
 	
 	# Get the ldap server up and running
@@ -241,12 +249,11 @@ def migration_13(env):
 	ldap.unbind()
 	conn.close()
 	
-
 def get_current_migration():
 	ver = 0
 	while True:
 		next_ver = (ver + 1)
-		migration_func = globals().get("migration_%d" % next_ver)
+		migration_func = globals().get("migration_miabldap_%d" % next_ver)
 		if not migration_func:
 			return ver
 		ver = next_ver
@@ -312,11 +319,67 @@ def run_migrations():
 
 		# iterate and try next version...
 
+def run_miabldap_migrations():
+	if not os.access("/etc/mailinabox.conf", os.W_OK, effective_ids=True):
+		print("This script must be run as root.", file=sys.stderr)
+		sys.exit(1)
+
+	env = load_environment()
+
+	migration_id_file = os.path.join(env['STORAGE_ROOT'], 'mailinabox-ldap.version')
+	migration_id = 0
+	if os.path.exists(migration_id_file):
+		with open(migration_id_file) as f:
+			migration_id = f.read().strip();
+
+	ourver = int(migration_id)
+
+	while True:
+		next_ver = (ourver + 1)
+		migration_func = globals().get("migration_miabldap_%d" % next_ver)
+
+		if not migration_func:
+			# No more migrations to run.
+			break
+
+		print()
+		print("Running migration to Mail-in-a-Box LDAP #%d..." % next_ver)
+
+		try:
+			migration_func(env)
+		except Exception as e:
+			print()
+			print("Error running the migration script:")
+			print()
+			print(e)
+			print()
+			print("Your system may be in an inconsistent state now. We're terribly sorry. A re-install from a backup might be the best way to continue.")
+			#sys.exit(1)
+			raise e
+
+		ourver = next_ver
+
+		# Write out our current version now. Do this sooner rather than later
+		# in case of any problems.
+		with open(migration_id_file, "w") as f:
+			f.write(str(ourver) + "\n")
+
+		# iterate and try next version...
+
 if __name__ == "__main__":
 	if sys.argv[-1] == "--current":
 		# Return the number of the highest migration.
 		print(str(get_current_migration()))
 	elif sys.argv[-1] == "--migrate":
 		# Perform migrations.
-		run_migrations()
+		env = load_environment()
+		
+		# if miab-ldap already installed, only run miab-ldap migrations
+		if 'LDAP_USERS_BASE' in env:
+			run_miabldap_migrations()
+			
+		# otherwise, run both
+		else:
+			run_migrations()
+			run_miabldap_migrations()
 
diff --git a/setup/migration_13.py b/setup/migration_13.py
index 303ba68d..6a8ae9ca 100644
--- a/setup/migration_13.py
+++ b/setup/migration_13.py
@@ -8,7 +8,7 @@
 import uuid, os, sqlite3, ldap3, hashlib
 
 
-def add_user(env, ldapconn, search_base, users_base, domains_base, email, password, privs, cn=None):
+def add_user(env, ldapconn, search_base, users_base, domains_base, email, password, privs, totp, cn=None):
 	# Add a sqlite user to ldap
 	#   env are the environment variables
 	#   ldapconn is the bound ldap connection
@@ -18,6 +18,7 @@ def add_user(env, ldapconn, search_base, users_base, domains_base, email, passwo
 	#   email is the user's email
 	#   password is the user's current sqlite password hash
 	#   privs is an array of privilege names for the user
+	#   totp contains the list of secrets, mru tokens, and labels
 	#   cn is the user's common name [optional]
 	#
 	# the email address should be as-is from sqlite (encoded as
@@ -37,6 +38,7 @@ def add_user(env, ldapconn, search_base, users_base, domains_base, email, passwo
 	uid = m.hexdigest()
 	
 	# Attributes to apply to the new ldap entry
+	objectClasses = [ 'inetOrgPerson','mailUser','shadowAccount' ]
 	attrs = {
 		"mail" : email,
 		"maildrop" : email,
@@ -73,12 +75,19 @@ def add_user(env, ldapconn, search_base, users_base, domains_base, email, passwo
 	# Choose a surname for the user (required attribute)
 	attrs["sn"] = cn[cn.find(' ')+1:]
 
+	# add TOTP, if enabled
+	if totp:
+		objectClasses.append('totpUser')
+		attrs['totpSecret'] = totp["secret"]
+		attrs['totpMruToken'] = totp["mru_token"]
+		attrs['totpMruTokenTime'] = totp["mru_token_time"]
+		attrs['totpLabel'] = totp["label"]
+	
 	# Add user
 	dn = "uid=%s,%s" % (uid, users_base)
+	
 	print("adding user %s" % email)
-	ldapconn.add(dn,
-		     [ 'inetOrgPerson','mailUser','shadowAccount' ],
-		     attrs);			 
+	ldapconn.add(dn, objectClasses, attrs)
 
 	# Create domain entry indicating that we are handling
 	# mail for that domain
@@ -95,14 +104,37 @@ def add_user(env, ldapconn, search_base, users_base, domains_base, email, passwo
 def create_users(env, conn, ldapconn, ldap_base, ldap_users_base, ldap_domains_base):
 	# iterate through sqlite 'users' table and create each user in
 	# ldap. returns a map of email->dn
+
+	# select users
 	c = conn.cursor()
-	c.execute("SELECT email,password,privileges from users")
+	c.execute("SELECT id, email, password, privileges from users")
+
 	users = {}
 	for row in c:
-		email=row[0]
-		password=row[1]
-		privs=row[2]
-		dn = add_user(env, ldapconn, ldap_base, ldap_users_base, ldap_domains_base, email, password, privs.split("\n"))
+		user_id=row[0]
+		email=row[1]
+		password=row[2]
+		privs=row[3]	
+		totp = None
+
+		c2 = conn.cursor()
+		c2.execute("SELECT secret, mru_token, label from mfa where user_id=? and type='totp'", (user_id,));
+		rowidx = 0
+		for row2 in c2:
+			if totp is None:
+				totp = {
+					"secret": [],
+					"mru_token": [],
+					"mru_token_time": [],
+					"label": []
+				}
+			totp["secret"].append("{%s}%s" % (rowidx, row2[0]))
+			totp["mru_token"].append("{%s}%s" % (rowidx, row2[1] or ''))
+			totp["mru_token_time"].append("{%s}%s" % (rowidx, rowidx))
+			totp["label"].append("{%s}%s" % (rowidx, row2[2] or ''))
+			rowidx += 1
+
+		dn = add_user(env, ldapconn, ldap_base, ldap_users_base, ldap_domains_base, email, password, privs.split("\n"), totp)
 		users[email] = dn
 	return users
 
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index cb8e7c53..73700512 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -329,7 +329,7 @@ rm -f /etc/cron.hourly/mailinabox-owncloud
 # and there's a lot they could mess up, so we don't make any users admins of Nextcloud.
 # But if we wanted to, we would do this:
 # ```
-# for user in $(tools/mail.py user admins); do
+# for user in $(management/cli.py user admins); do
 #	 sqlite3 $STORAGE_ROOT/owncloud/owncloud.db "INSERT OR IGNORE INTO oc_group_user VALUES ('admin', '$user')"
 # done
 # ```
diff --git a/setup/start.sh b/setup/start.sh
index 31cf0121..b5f98990 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -80,9 +80,9 @@ fi
 if [ ! -d $STORAGE_ROOT ]; then
 	mkdir -p $STORAGE_ROOT
 fi
-if [ ! -f $STORAGE_ROOT/mailinabox.version ]; then
-	echo $(setup/migrate.py --current) > $STORAGE_ROOT/mailinabox.version
-	chown $STORAGE_USER.$STORAGE_USER $STORAGE_ROOT/mailinabox.version
+if [ ! -f $STORAGE_ROOT/mailinabox-ldap.version ]; then
+	echo $(setup/migrate.py --current) > $STORAGE_ROOT/mailinabox-ldap.version
+	chown $STORAGE_USER.$STORAGE_USER $STORAGE_ROOT/mailinabox-ldap.version
 fi
 
 # Save the global options in /etc/mailinabox.conf so that standalone
diff --git a/tests/lib/all.sh b/tests/lib/all.sh
index 0fa22f6c..ba246f89 100644
--- a/tests/lib/all.sh
+++ b/tests/lib/all.sh
@@ -16,4 +16,5 @@
 
 . "$1/populate.sh"     || exit 7
 . "$1/installed-state.sh" || exit 8
+. "$1/totp.sh"         || exit 9
 
diff --git a/tests/lib/rest.sh b/tests/lib/rest.sh
index 2c8fd39d..1cf6d22e 100644
--- a/tests/lib/rest.sh
+++ b/tests/lib/rest.sh
@@ -59,7 +59,15 @@ rest_urlencoded() {
                 if $onlydata; then
                     data+=("--data-urlencode" "$item");
                 else
-                    data+=("$item")
+                    # if argument is like "--header=<val>", then change to
+                    # "--header <val>" because curl wants the latter
+                    local arg="$(awk -F= '{print $1}' <<<"$item")"
+                    local val="$(awk -F= '{print substr($0,length($1)+2)}' <<<"$item")"
+                    if [ -z "$val" ]; then
+                        data+=("$item")
+                    else
+                        data+=("$arg" "$val")
+                    fi
                 fi
                 ;;
             * )
diff --git a/tests/lib/totp.sh b/tests/lib/totp.sh
new file mode 100644
index 00000000..4e419597
--- /dev/null
+++ b/tests/lib/totp.sh
@@ -0,0 +1,21 @@
+#
+# requires:
+#    mailinabox's python installed with pyotp module at
+#    /usr/local/lib/mailinabox/env
+#
+
+totp_current_token() {
+    # given a secret, get the current token
+    # token written to stdout
+    # error message to stderr
+    # return 0 if successful
+    # non-zero if an error occured
+    local secret="$1"
+    /usr/local/lib/mailinabox/env/bin/python -c "import pyotp; totp=pyotp.TOTP(r'$secret'); print(totp.now());"
+    if [ $? -ne 0 ]; then
+        return 1
+    else
+        return 0
+    fi
+}
+
diff --git a/tests/lib/totp_cli.sh b/tests/lib/totp_cli.sh
new file mode 100755
index 00000000..87110861
--- /dev/null
+++ b/tests/lib/totp_cli.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+. $(dirname "0")/totp.sh || exit 1
+
+while [ $# -gt 0 ]; do
+    arg="$1"
+    shift
+    if [ "$arg" == "token" ]; then
+        # our "authenticator app"
+        #
+        # get the current token for the secret supplied or if no
+        # secret given on the command line, from the saved secret in
+        # /tmp/totp_secret.txt
+        #
+        secret_file="/tmp/totp_secret.txt"
+        
+        if [ $# -gt 0 ]; then
+            recalled=false
+            secret="$1"
+            shift
+            
+        else
+            recalled=true
+            echo "Re-using last secret from $secret_file" 1>&2
+            secret="$(cat $secret_file)"
+            if [ $? -ne 0 ]; then
+                exit 1
+            fi
+        fi
+        
+        totp_current_token "$secret"
+        code=$?
+        if [ $code -ne 0 ]; then
+            exit 1
+            
+        elif ! $recalled; then
+            echo "Storing secret in $secret_file" 1>&2
+            touch "$secret_file" || exit 2
+            chmod 600 "$secret_file" || exit 3
+            echo -n "$secret" > "$secret_file" || exit 4
+        fi
+
+        exit 0
+    fi
+done
+
diff --git a/tests/suites/_init.sh b/tests/suites/_init.sh
index 25d8afe1..c2c3ab9d 100644
--- a/tests/suites/_init.sh
+++ b/tests/suites/_init.sh
@@ -27,6 +27,8 @@ declare -i OVERALL_COUNT_SUITES=0
 FAILURE_IS_FATAL=no
 DUMP_FAILED_TESTS_OUTPUT=no
 SKIP_REMOTE_SMTP_TESTS=no
+DETECT_SLAPD_LOG_ERROR_OUTPUT=brief
+DETECT_SYSLOG_ERROR_OUTPUT=normal
 
 # record a list of output files for failed tests
 FAILED_TESTS_MANIFEST="$BASE_OUTPUTDIR/failed_tests_manifest.txt"
@@ -166,7 +168,7 @@ skip_test() {
 	if [ "$SKIP_REMOTE_SMTP_TESTS" == "yes" ] &&
 		   array_contains "remote-smtp" "$@";
 	then
-		test_skip "-no-smtp-remote option given"
+		test_skip "no-smtp-remote option given"
 		return 0
 	fi
 	
diff --git a/tests/suites/_ldap-functions.sh b/tests/suites/_ldap-functions.sh
index 6c69200d..1d34b63a 100644
--- a/tests/suites/_ldap-functions.sh
+++ b/tests/suites/_ldap-functions.sh
@@ -29,6 +29,7 @@ create_user() {
 	local email="$1"
 	local pass="${2:-$email}"
 	local priv="${3:-test}"
+	local totpVal="${4:-}"  # "secret,token,label"
 	local localpart="$(awk -F@ '{print $1}' <<< "$email")"
 	local domainpart="$(awk -F@ '{print $2}' <<< "$email")"
 	#local uid="$localpart"
@@ -39,19 +40,36 @@ create_user() {
 
 	record "[create user $email ($dn)]"
 	delete_dn "$dn"
-	
+
+    # totpSecret: base-32 digits (see RFC 4648), qty 32
+	# totpMruToken: base-10 digits, qty 6
+	# note: comma is not a base32 symbol
+	local totpObjectClass=""
+	local totpSecret="$(awk -F, '{print $1}' <<< "$totpVal")"
+	local totpMruToken="$(awk -F, '{print $2}' <<< "$totpVal")"
+	local totpMruTokenTime=""
+	local totpLabel="$(awk -F, '{print $3}' <<< "$totpVal")"
+	if [ ! -z "$totpVal" ]; then
+		local nl=$'\n'
+		totpObjectClass="${nl}objectClass: totpUser"
+		totpSecret="${nl}totpSecret: {0}${totpSecret}"
+		totpMruToken="${nl}totpMruToken: {0}${totpMruToken}"
+		totpMruTokenTime="${nl}totpMruTokenTime: $(date +%s)0000000000"
+		totpLabel="${nl}totpLabel: {0}${totpLabel}"
+	fi
+
 	ldapadd -H "$LDAP_URL" -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" >>$TEST_OF 2>&1 <<EOF
 dn: $dn
 objectClass: inetOrgPerson
 objectClass: mailUser
-objectClass: shadowAccount
+objectClass: shadowAccount${totpObjectClass}
 uid: $uid
 cn: $localpart
 sn: $localpart
 displayName: $localpart
 mail: $email
 maildrop: $email
-mailaccess: $priv
+mailaccess: $priv${totpSecret}${totpMruToken}${totpMruTokenTime}${totpLabel}
 userPassword: $(slappasswd_hash "$pass")
 EOF
 	[ $? -ne 0 ] && die "Unable to add user $dn (as admin)"
diff --git a/tests/suites/_mail-functions.sh b/tests/suites/_mail-functions.sh
index 685282d7..6e94efa2 100644
--- a/tests/suites/_mail-functions.sh
+++ b/tests/suites/_mail-functions.sh
@@ -101,10 +101,12 @@ detect_syslog_error() {
 		let ec=0 # error count
 		let wc=0 # warning count
 		while read line; do
+			# named[7940]: dispatch 0x7f460c02c3a0: shutting down due to TCP receive error: 199.249.112.1#53: connection reset
 			awk '
 /status=(bounced|deferred|undeliverable)/  { exit 1 }
 /warning:/ && /spamhaus\.org: RBL lookup error:/ { exit 2 }
 !/postfix\/qmgr/ && /warning:/	{ exit 1 }
+/named\[[0-9]+\]:.* receive error: .*: connection reset/ { exit 2 }
 /(fatal|reject|error):/	 { exit 1 }
 /Error in /			{ exit 1 }
 /Exception on /     { exit 1 }
@@ -118,7 +120,9 @@ detect_syslog_error() {
 				let wc+=1
 				record "$F_WARN[ WARN] $line$F_RESET"
 			else
-				record "[   OK] $line"
+				if [ "$DETECT_SYSLOG_ERROR_OUTPUT" != "brief" ]; then
+					record "[   OK] $line"
+				fi
 			fi
 		done
 		[ $ec -gt 0 ] && exit 0
@@ -177,7 +181,9 @@ detect_slapd_log_error() {
 			elif [ $r -eq 3 ]; then
 				let ignored+=1
 			else
-				record "[   OK] $line"
+				if [ "$DETECT_SLAPD_LOG_ERROR_OUTPUT" != "brief" ]; then
+					record "[   OK] $line"
+				fi
 			fi
 		done
 		record "$ignored unreported/ignored log lines"
diff --git a/tests/suites/_mgmt-functions.sh b/tests/suites/_mgmt-functions.sh
index 422e447e..75278e58 100644
--- a/tests/suites/_mgmt-functions.sh
+++ b/tests/suites/_mgmt-functions.sh
@@ -49,6 +49,20 @@ mgmt_rest() {
 	return $?
 }
 
+mgmt_rest_as_user() {
+	# Issue a REST call to the management subsystem
+	local verb="$1" # eg "POST"
+	local uri="$2"  # eg "/mail/users/add"
+	local email="$3"  # eg "alice@somedomain.com"
+	local pw="$4"   # user's password
+	shift; shift; shift; shift   # remaining arguments are data
+
+	# call function from lib/rest.sh
+	rest_urlencoded "$verb" "$uri" "${email}" "${pw}" "$@" >>$TEST_OF 2>&1
+	return $?
+}
+
+
 
 mgmt_create_user() {
 	local email="$1"
@@ -145,3 +159,235 @@ mgmt_assert_delete_alias_group() {
 	fi
 	return 0
 }
+
+
+mgmt_privileges_add() {
+	local user="$1"
+	local priv="$2"  # only one privilege allowed
+	record "[add privilege '$priv' to $user]"
+	mgmt_rest POST "/admin/mail/users/privileges/add" "email=$user" "privilege=$priv"
+	rc=$?
+	return $rc
+}
+
+mgmt_assert_privileges_add() {
+	if ! mgmt_privileges_add "$@"; then
+		test_failure "Unable to add privilege '$2' to $1"
+		test_failure "${REST_ERROR}"
+		return 1
+	fi
+	return 0
+}
+
+mgmt_get_totp_token() {
+	local secret="$1"
+	local mru_token="$2"
+	
+	TOTP_TOKEN="" # this is set to the acquired token on success
+
+	# the user would normally give the secret to an authenticator app
+	# and get a token -- we'll do that out-of-band.  we have to run
+	# the admin's python because setup does not do a 'pip install
+	# pyotp', so the system python3 probably won't have it
+
+	record "[Get the current token for the secret '$secret']"
+
+	local count=0
+	
+	while [ -z "$TOTP_TOKEN" -a $count -lt 10 ]; do
+		TOTP_TOKEN="$(totp_current_token "$secret" 2>>"$TEST_OF")"
+		if [ $? -ne 0 ]; then
+			record "Failed: Could not get the TOTP token !"
+			return 1
+		fi
+
+		if [ "$TOTP_TOKEN" == "$mru_token" ]; then
+			TOTP_TOKEN=""
+			record "Waiting for unique token!"
+			sleep 5
+		else
+			record "Success: token is '$TOTP_TOKEN'"
+			return 0
+		fi
+		
+		let count+=1
+	done
+
+	record "Failed: timeout !"
+	TOTP_TOKEN=""
+	return 1	
+}
+
+mgmt_mfa_status() {
+	local user="$1"
+	local pw="$2"
+	record "[Get MFA status]"
+	if ! mgmt_rest_as_user "POST" "/admin/mfa/status" "$user" "$pw"; then
+		REST_ERROR="Failed: POST /admin/mfa/status: $REST_ERROR"
+		return 1
+	fi
+	# json is in REST_OUTPUT...
+	return 0
+}
+
+
+mgmt_totp_enable() {
+	# enable TOTP for user specified
+	#   returns 0 if successful and TOTP_SECRET will contain the secret and TOTP_TOKEN will contain the token used
+	#   returns 1 if a REST error occured. $REST_ERROR has the message
+	#   returns 2 if some other error occured
+	#
+	
+	local user="$1"
+	local pw="$2"
+	local label="$3"  # optional
+	TOTP_SECRET=""
+
+	record "[Enable TOTP for $user]"
+
+	# 1. get a totp secret
+	if ! mgmt_mfa_status "$user" "$pw"; then
+		return 1
+	fi
+	
+	TOTP_SECRET="$(/usr/bin/jq -r ".new_mfa.totp.secret" <<<"$REST_OUTPUT")"
+	if [ $? -ne 0 ]; then
+		record "Unable to obtain setup totp secret - is 'jq' installed?"
+		return 2
+	fi
+
+	if [ "$TOTP_SECRET" == "null" ]; then
+		record "No 'totp_secret' in the returned json !"
+		return 2
+	else
+		record "Found TOTP secret '$TOTP_SECRET'"
+	fi
+	
+	if ! mgmt_get_totp_token "$TOTP_SECRET"; then
+		return 2
+	fi
+	
+	# 2. enable TOTP
+	record "Enabling TOTP using the secret and token"
+	if ! mgmt_rest_as_user "POST" "/admin/mfa/totp/enable" "$user" "$pw" "secret=$TOTP_SECRET" "token=$TOTP_TOKEN" "label=$label"; then
+		REST_ERROR="Failed: POST /admin/mfa/totp/enable: ${REST_ERROR}"
+		return 1
+	else
+		record "Success: POST /mfa/totp/enable: '$REST_OUTPUT'"
+	fi
+		
+	return 0
+}
+
+
+mgmt_assert_totp_enable() {
+	local user="$1"
+	mgmt_totp_enable "$@"
+	local code=$?
+	if [ $code -ne 0 ]; then
+		test_failure "Unable to enable TOTP for $user"
+		if [ $code -eq 1 ]; then
+			test_failure "${REST_ERROR}"
+		fi
+		return 1
+	fi
+	get_attribute "$LDAP_USERS_BASE" "(&(mail=$user)(objectClass=totpUser))" "dn"
+	if [ -z "$ATTR_DN" ]; then
+		test_failure "totpUser objectClass not present on $user"
+	fi
+	record_search "(mail=$user)"
+	return 0
+}
+
+
+mgmt_mfa_disable() {
+	# returns:
+	#    0: success
+	#    1: a REST error occurred, message in REST_ERROR
+	#    2: some system error occured
+	#    3: mfa is not configured for the user specified
+	local user="$1"
+	local pw="$2"
+	local mfa_id="$3"
+	
+	record "[Disable MFA for $user]"
+	if [ "$mfa_id" == "all" ]; then
+		mfa_id=""
+	elif [ "$mfa_id" == "" ]; then
+		# get first mfa-id
+		if ! mgmt_mfa_status "$user" "$pw"; then
+			return 1
+		fi
+		
+		mfa_id="$(/usr/bin/jq -r ".enabled_mfa[0].id" <<<"$REST_OUTPUT")"
+		if [ $? -ne 0 ]; then
+			record "Unable to use /usr/bin/jq - is it installed?"
+			return 2
+		fi
+		if [ "$mfa_id" == "null" ]; then
+			record "No enabled mfa found at .enabled_mfa[0].id"
+			return 3
+		fi
+	fi
+	
+
+	
+	if ! mgmt_rest_as_user "POST" "/admin/mfa/disable" "$user" "$pw" "mfa-id=$mfa_id"
+	then
+		REST_ERROR="Failed: POST /admin/mfa/disable: $REST_ERROR"
+		return 1
+	else
+		record "Success"
+		return 0
+	fi
+}
+
+mgmt_assert_mfa_disable() {
+	local user="$1"
+	mgmt_mfa_disable "$@"
+	local code=$?
+	if [ $code -ne 0 ]; then
+		test_failure "Unable to disable MFA for $user: $REST_ERROR"
+		return 1
+	fi
+	get_attribute "$LDAP_USERS_BASE" "(&(mail=$user)(objectClass=totpUser))" "dn"
+	if [ ! -z "$ATTR_DN" ]; then
+		test_failure "totpUser objectClass still present on $user"
+	fi
+	record_search "(mail=$user)"
+	return 0
+}
+
+mgmt_assert_admin_me() {
+	local user="$1"
+	local pw="$2"
+	local expected_status="${3:-ok}"
+	shift; shift; shift;  # remaining arguments are data
+
+	# note: GET /admin/me always returns http status 200, but errors are in
+	# the json payload
+	record "[Get /admin/me as $user]"
+	if ! mgmt_rest_as_user "GET" "/admin/me" "$user" "$pw" "$@"; then
+		test_failure "GET /admin/me as $user failed: $REST_ERROR"
+		return 1
+
+	else
+		local status code
+		status="$(/usr/bin/jq -r '.status' <<<"$REST_OUTPUT")"
+		code=$?
+		if [ $code -ne 0 ]; then
+			test_failure "Unable to run jq ($code) on /admin/me json"
+			return 1
+				
+		elif [ "$status" == "null" ]; then
+			test_failure "No 'status' in /admin/me json"
+			return 1
+
+		elif [ "$status" != "$expected_status" ]; then
+			test_failure "Expected a login status of '$expected_status', but got '$status'"
+			return 1
+			
+		fi
+	fi
+	return 0
+}
diff --git a/tests/suites/ldap-access.sh b/tests/suites/ldap-access.sh
index d35d2834..1c2393ff 100644
--- a/tests/suites/ldap-access.sh
+++ b/tests/suites/ldap-access.sh
@@ -3,14 +3,16 @@
 # Access assertions:
 #	service accounts, except management:
 #	   can bind but not change passwords, including their own
-#	   can read all attributes of all users but not userPassword
-#	   can not write any user attributes, include shadowLastChange
+#	   can read all attributes of all users but not userPassword, totpSecret, totpMruTokenTime, totpMruToken, totpLabel
+#	   can not write any user attributes, including shadowLastChange
 #	   can read config subtree (permitted-senders, domains)
 #	   no access to services subtree, except their own dn
 #	users:
 #	   can bind and change their own password
 #	   can read and change their own shadowLastChange
-#	   can read attributess of all users except mailaccess
+#      no read or write access to user's own totpSecret, totpMruToken, totpMruTokenTime or totpLabel
+#	   can read attributess of all users except:
+#            mailaccess, totpSecret, totpMruToken, totpMruTokenTime, totpLabel
 #	   no access to config subtree
 #	   no access to services subtree
 #	other:
@@ -36,19 +38,25 @@ test_user_change_password() {
 
 
 test_user_access() {
-	# 1. can read attributess of all users except mailaccess
+	# 1. can read attributess of all users except mailaccess, totpSecret, totpMruToken, totpMruTokenTime, totpLabel
 	# 2. can read and change their own shadowLastChange
 	# 3. no access to config subtree
 	# 4. no access to services subtree
+	# 5. no read or write access to own totpSecret, totpMruToken, totpMruTokenTime, or totpLabel
+
 	test_start "user-access"
 
+	local totpSecret="12345678901234567890"
+	local totpMruToken="94287082"
+	local totpLabel="my phone"
+	
 	# create regular user's alice and bob
 	local alice="alice@somedomain.com"
-	create_user "alice@somedomain.com" "alice"
+	create_user "alice@somedomain.com" "alice" "" "$totpSecret,$totpMruToken,$totpLabel"
 	local alice_dn="$ATTR_DN"
 
 	local bob="bob@somedomain.com"
-	create_user "bob@somedomain.com" "bob"
+	create_user "bob@somedomain.com" "bob" "" "$totpSecret,$totpMruToken,$totpLabel"
 	local bob_dn="$ATTR_DN"
 
 	# alice should be able to set her own shadowLastChange
@@ -56,19 +64,29 @@ test_user_access() {
 
 	# test that alice can read her own attributes
 	assert_r_access "$alice_dn" "$alice_dn" "alice" read mail maildrop cn sn shadowLastChange
-	# alice should not have access to her own mailaccess, though
-	assert_r_access "$alice_dn" "$alice_dn" "alice" no-read mailaccess
+	
+	# alice should not have access to her own mailaccess, totpSecret, totpMruToken, totpMruTokenTime or totpLabel, though
+	assert_r_access "$alice_dn" "$alice_dn" "alice" no-read mailaccess totpSecret totpMruToken totpMruTokenTime totpLabel
+
 	# test that alice cannot change her own select attributes
 	assert_w_access "$alice_dn" "$alice_dn" "alice"
 
+	# test that alice cannot change her own totpSecret, totpMruToken, totpMruTokenTime or totpLabel
+	assert_w_access "$alice_dn" "$alice_dn" "alice" no-write "totpSecret=ABC" "totpMruToken=123456" "totpMruTokenTime=123" "totpLabel=x-phone"
+
 	
 	# test that alice can read bob's attributes
 	assert_r_access "$bob_dn" "$alice_dn" "alice" read mail maildrop cn sn
-	# alice does not have access to bob's mailaccess though
-	assert_r_access "$bob_dn" "$alice_dn" "alice" no-read mailaccess
-	# test that alice cannot change bob's attributes
+	
+	# alice should not have access to bob's mailaccess, totpSecret, totpMruToken, totpMruTokenTime, or totpLabel
+	assert_r_access "$bob_dn" "$alice_dn" "alice" no-read mailaccess totpSecret totpMruToken totpMruTokenTime totpLabel
+	
+	# test that alice cannot change bob's select attributes
 	assert_w_access "$bob_dn" "$alice_dn" "alice"
 
+	# test that alice cannot change bob's attributes
+	assert_w_access "$bob_dn" "$alice_dn" "alice" no-write "totpSecret=ABC" "totpMruToken=123456" "totpMruTokenTime=345" "totpLabel=x-phone"
+
 
 	# test that alice cannot read a service account's attributes
 	assert_r_access "$LDAP_POSTFIX_DN" "$alice_dn" "alice"
@@ -132,9 +150,13 @@ test_service_access() {
 	
 	test_start "service-access"
 
+	local totpSecret="12345678901234567890"
+	local totpMruToken="94287082"
+	local totpLabel="my phone"
+	
 	# create regular user with password "alice"
 	local alice="alice@somedomain.com"
-	create_user "alice@somedomain.com" "alice"
+	create_user "alice@somedomain.com" "alice" "" "$totpSecret,$totpMruToken,$totpLabel"
 
 	# create a test service account
 	create_service_account "test" "test"
@@ -154,12 +176,12 @@ test_service_access() {
 		# check that service account can read user attributes
 		assert_r_access "$alice_dn" "$LDAP_POSTFIX_DN" "$LDAP_POSTFIX_PASSWORD" read mail maildrop uid cn sn shadowLastChange
 		
-		# service account should not be able to read user's userPassword
-		assert_r_access "$alice_dn" "$LDAP_POSTFIX_DN" "$LDAP_POSTFIX_PASSWORD" no-read userPassword
+		# service account should not be able to read user's userPassword, totpSecret, totpMruToken, totpMruTokenTime, or totpLabel
+		assert_r_access "$alice_dn" "$LDAP_POSTFIX_DN" "$LDAP_POSTFIX_PASSWORD" no-read userPassword totpSecret totpMruToken totpMruTokenTime totpLabel
 
 		# service accounts cannot change user attributes
 		assert_w_access "$alice_dn" "$LDAP_POSTFIX_DN" "$LDAP_POSTFIX_PASSWORD"
-		assert_w_access "$alice_dn" "$LDAP_POSTFIX_DN" "$LDAP_POSTFIX_PASSWORD" no-write "shadowLastChange=1"
+		assert_w_access "$alice_dn" "$LDAP_POSTFIX_DN" "$LDAP_POSTFIX_PASSWORD" no-write "shadowLastChange=1" "totpSecret=ABC" "totpMruToken=333333" "totpMruTokenTime=123" "totpLabel=x-phone"
 	fi
 
 	# service accounts can read config subtree (permitted-senders, domains)
diff --git a/tests/suites/management-users.sh b/tests/suites/management-users.sh
index 1cc0f0fc..a633c49c 100644
--- a/tests/suites/management-users.sh
+++ b/tests/suites/management-users.sh
@@ -200,8 +200,99 @@ test_intl_domains() {
 }
 
 
+
+test_totp() {
+	test_start "totp"
+
+	# alice
+	local alice="alice@somedomain.com"
+	local alice_pw="$(generate_password 16)"
+
+	start_log_capture
+
+	# create alice
+	mgmt_assert_create_user "$alice" "$alice_pw"
+
+	# alice must be admin to use TOTP
+	if ! have_test_failures; then
+		if mgmt_totp_enable "$alice" "$alice_pw"; then
+			test_failure "User must be an admin to use TOTP, but server allowed it"
+		else
+			mgmt_assert_privileges_add "$alice" "admin"
+		fi
+	fi
+
+	# add totp to alice's account (if successful, secret is in TOTP_SECRET)
+	if ! have_test_failures; then
+		mgmt_assert_totp_enable "$alice" "$alice_pw"
+		# TOTP_SECRET and TOTP_TOKEN are now set...
+	fi
+
+	# logging in with just the password should now fail
+	if ! have_test_failures; then
+		record "Expect a login failure..."
+		mgmt_assert_admin_me "$alice" "$alice_pw" "missing-totp-token"
+	fi
+	
+
+	# logging into /admin/me with a password and a token should
+	# succeed, and an api_key generated
+	local api_key
+	if ! have_test_failures; then		
+		record "Try using a password and a token to get the user api key, we may have to wait 30 seconds to get a new token..."
+
+		local old_totp_token="$TOTP_TOKEN"
+		if ! mgmt_get_totp_token "$TOTP_SECRET" "$TOTP_TOKEN"; then
+			test_failure "Could not obtain a new TOTP token"
+			
+		else
+			# we have a new token, try logging in ...
+			# the token must be placed in the header "x-auth-token"
+			if mgmt_assert_admin_me "$alice" "$alice_pw" "ok" "--header=x-auth-token: $TOTP_TOKEN"
+			then
+				api_key="$(/usr/bin/jq -r '.api_key' <<<"$REST_OUTPUT")"
+				record "Success: login with TOTP token successful. api_key=$api_key"
+
+				# ensure the totpMruToken was changed in LDAP
+				get_attribute "$LDAP_USERS_BASE" "(mail=$alice)" "totpMruToken"
+				if [ "$ATTR_VALUE" != "{0}$TOTP_TOKEN" ]; then
+					record_search "(mail=$alice)"
+					test_failure "totpMruToken wasn't updated in LDAP"
+				fi
+			fi
+		fi
+	fi
+
+	# we should be able to login using the user's api key
+	if ! have_test_failures; then		
+		record "Login using the user's api key"
+		mgmt_assert_admin_me "$alice" "$api_key" "ok"
+	fi
+
+	# disable totp on the account - login should work with just the password
+	# and the ldap entry should not have the 'totpUser' objectClass
+	if ! have_test_failures; then		
+		if mgmt_assert_mfa_disable "$alice" "$api_key"; then
+			mgmt_assert_admin_me "$alice" "$alice_pw" "ok"
+		fi
+	fi
+
+	# check for errors in system logs
+	if ! have_test_failures; then
+		assert_check_logs
+	else
+		check_logs
+	fi
+	
+	mgmt_assert_delete_user "$alice"
+	test_end
+}
+
+
+
 suite_start "management-users" mgmt_start
 
+test_totp
 test_mixed_case_domains
 test_mixed_case_users
 test_intl_domains
diff --git a/tests/suites/upgrade.sh b/tests/suites/upgrade.sh
index a8586f70..6a4ebf99 100644
--- a/tests/suites/upgrade.sh
+++ b/tests/suites/upgrade.sh
@@ -38,7 +38,7 @@ verify_populate() {
 
 
 
-suite_start "upgrade"
+suite_start "upgrade-$1"
 
 export ASSETS_DIR
 export MIAB_DIR
diff --git a/tests/system-setup/populate/totpuser-data.sh b/tests/system-setup/populate/totpuser-data.sh
new file mode 100755
index 00000000..f1db3a86
--- /dev/null
+++ b/tests/system-setup/populate/totpuser-data.sh
@@ -0,0 +1,10 @@
+#
+# requires:
+#    lib scripts: [ misc.sh ]
+#    system-setup scripts: [ setup-defaults.sh ]
+#
+
+TEST_USER="totp_admin@$(email_domainpart "$EMAIL_ADDR")"
+TEST_USER_PASS="$(static_qa_password)"
+TEST_USER_TOTP_SECRET="6VXVWOSCY7JLU4VBZ6LQEJSBN6WYWECU"
+TEST_USER_TOTP_LABEL="my phone"
diff --git a/tests/system-setup/populate/totpuser-populate.sh b/tests/system-setup/populate/totpuser-populate.sh
new file mode 100755
index 00000000..69fca814
--- /dev/null
+++ b/tests/system-setup/populate/totpuser-populate.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+. "$(dirname "$0")/../setup-defaults.sh" || exit 1
+. "$(dirname "$0")/../../lib/all.sh" "$(dirname "$0")/../../lib" || exit 1
+. "$(dirname "$0")/totpuser-data.sh" || exit 1
+
+
+url=""
+admin_email="$EMAIL_ADDR"
+admin_pass="$EMAIL_PW"
+
+
+#
+# Add user
+#
+if ! populate_miab_users "$url" "$admin_email" "$admin_pass" "${TEST_USER}:${TEST_USER_PASS}"
+then
+    echo "Unable to add user"
+    exit 1
+fi
+
+# make the user an admin
+if ! rest_urlencoded POST "${url%/}/admin/mail/users/privileges/add" "$admin_email" "$admin_pass" --insecure -- "email=$TEST_USER" "privilege=admin" 2>/dev/null
+then
+    echo "Unable to add 'admin' privilege. err=$REST_ERROR" 1>&2
+    exit 1
+fi
+
+# enable totp
+token="$(totp_current_token "$TEST_USER_TOTP_SECRET")"
+if ! rest_urlencoded POST "${url%/}/admin/mfa/totp/enable" "$TEST_USER" "$TEST_USER_PASS" --insecure "secret=$TEST_USER_TOTP_SECRET" "token=$token" "label=$TEST_USER_TOTP_LABEL" 2>/dev/null; then
+    echo "Unable to enable TOTP. err=$REST_ERROR" 1>&2
+    exit 1
+fi
+
+
+exit 0
+
diff --git a/tests/system-setup/populate/totpuser-verify.sh b/tests/system-setup/populate/totpuser-verify.sh
new file mode 100755
index 00000000..7e39f463
--- /dev/null
+++ b/tests/system-setup/populate/totpuser-verify.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+. "$(dirname "$0")/../setup-defaults.sh" || exit 1
+. "$(dirname "$0")/../../lib/all.sh" "$(dirname "$0")/../../lib" || exit 1
+. "$(dirname "$0")/totpuser-data.sh" || exit 1
+
+. /etc/mailinabox.conf || exit 1
+. "${STORAGE_ROOT}/ldap/miab_ldap.conf" || exit 1
+
+
+die() {
+    echo "$1"
+    exit 1
+}
+
+. "$MIAB_DIR/setup/functions-ldap.sh" || exit 1
+
+
+# the user's ldap entry contains the TOTP secret
+# 
+# other tests verify the functioning of totp - just make sure the totp
+# secret was migrated
+#
+get_attribute "$LDAP_USERS_BASE" "(&(mail=$TEST_USER)(objectClass=totpUser))" "totpSecret"
+if [ -z "$ATTR_DN" ]; then
+	echo "totpUser objectClass and secret not present"
+    exit 1
+fi
+
+if [ "$ATTR_VALUE" != "{0}$TEST_USER_TOTP_SECRET" ]; then
+    echo "totpSecret mismatch"
+    exit 1
+fi
+
+echo "OK totpuser-verify passed"
+exit 0
diff --git a/tests/system-setup/setup-defaults.sh b/tests/system-setup/setup-defaults.sh
index f9a4330e..0c6a9a78 100755
--- a/tests/system-setup/setup-defaults.sh
+++ b/tests/system-setup/setup-defaults.sh
@@ -34,4 +34,5 @@ export NC_ADMIN_USER="${NC_ADMIN_USER:-admin}"
 export NC_ADMIN_PASSWORD="${NC_ADMIN_PASSWORD:-Test_1234}"
 
 # For setup scripts that install upstream versions
-export MIAB_UPSTREAM_GIT="https://github.com/mail-in-a-box/mailinabox.git"
+export MIAB_UPSTREAM_GIT="${MIAB_UPSTREAM_GIT:-https://github.com/mail-in-a-box/mailinabox.git}"
+export UPSTREAM_TAG="${UPSTREAM_TAG:-}"
diff --git a/tests/system-setup/setup-funcs.sh b/tests/system-setup/setup-funcs.sh
index ca13abfb..226c0f6a 100755
--- a/tests/system-setup/setup-funcs.sh
+++ b/tests/system-setup/setup-funcs.sh
@@ -118,8 +118,9 @@ init_miab_testing() {
     
     # python3-dnspython: is used by the python scripts in 'tests' and is
     #   not installed by setup
+    # also install 'jq' for json processing
     wait_for_apt
-    apt-get install -y -qq python3-dnspython
+    apt-get install -y -qq python3-dnspython jq
     
     # copy in pre-built MiaB-LDAP ssl files
     #   1. avoid the lengthy generation of DH params
@@ -234,12 +235,13 @@ miab_ldap_install() {
 
 
 populate_by_name() {
-    local populate_name="$1"
-
-    H1 "Populate Mail-in-a-Box ($populate_name)"
-    local populate_script="tests/system-setup/populate/${populate_name}-populate.sh"
-    if [ ! -e "$populate_script" ]; then
-        die "Does not exist: $populate_script"
-    fi
-    "$populate_script" || die "Failed: $populate_script"
+    local populate_name
+    for populate_name; do
+        H1 "Populate Mail-in-a-Box ($populate_name)"
+        local populate_script="tests/system-setup/populate/${populate_name}-populate.sh"
+        if [ ! -e "$populate_script" ]; then
+            die "Does not exist: $populate_script"
+        fi
+        "$populate_script" || die "Failed: $populate_script"
+    done
 }
diff --git a/tests/system-setup/upgrade-from-upstream.sh b/tests/system-setup/upgrade-from-upstream.sh
index 6ae4ac16..72e6057d 100755
--- a/tests/system-setup/upgrade-from-upstream.sh
+++ b/tests/system-setup/upgrade-from-upstream.sh
@@ -113,7 +113,7 @@ case "$1" in
         ;;
     populate )
         . /etc/mailinabox.conf
-        populate_by_name "${1:-basic}"
+        populate_by_name "${2:-basic}"
         exit $?
         ;;
 esac
@@ -137,7 +137,11 @@ else
     . /etc/mailinabox.conf
     
     # populate some data
-    populate_by_name "${1:-basic}"
+    if [ $# -gt 0 ]; then
+        populate_by_name "$@"
+    else
+        populate_by_name "basic" "totpuser"
+    fi
 
     # capture upstream state
     pushd "$upstream_dir" >/dev/null
diff --git a/tests/vagrant/Vagrantfile b/tests/vagrant/Vagrantfile
index 9dc982a7..a7c7ff2d 100644
--- a/tests/vagrant/Vagrantfile
+++ b/tests/vagrant/Vagrantfile
@@ -4,10 +4,20 @@ Vagrant.configure("2") do |config|
   config.vm.synced_folder "../..", "/mailinabox", id: "mailinabox", automount: false
   config.vm.provision "file", source:"globals.sh", destination:"globals.sh"
 
+  if File.file?("preloaded/preloaded-ubuntu-bionic64.box")
+    config.vm.box = "preloaded-ubuntu-bionic64"
+    config.vm.box_url = "file://" + Dir.pwd + "/preloaded/preloaded-ubuntu-bionic64.box"
+    if Vagrant.has_plugin?('vagrant-vbguest')
+      # do NOT check the correct additions version when booting this machine
+      config.vbguest.auto_update = false
+    end
+  else
+    config.vm.box = "ubuntu/bionic64"
+  end
+
   # fresh install with encryption-at-rest
 
   config.vm.define "remote-nextcloud-docker-ehdd" do |m1|
-    m1.vm.box = "ubuntu/bionic64"
     m1.vm.provision :shell, :inline => <<-SH
 source globals.sh || exit 1
 export PRIMARY_HOSTNAME=qa1.abc.com
@@ -26,7 +36,6 @@ SH
   # remote-nextcloud-docker w/basic data
 
   config.vm.define "remote-nextcloud-docker" do |m1|
-    m1.vm.box = "ubuntu/bionic64"
     m1.vm.provision :shell, :inline => <<-SH
 source globals.sh || exit 1
 export PRIMARY_HOSTNAME=qa2.abc.com
@@ -43,16 +52,15 @@ SH
 
   # upgrade-from-upstream
   
-  config.vm.define "upgrade-from-upstream" do |m2|
-    m2.vm.box = "ubuntu/bionic64"
-    m2.vm.provision :shell, :inline => <<-SH
+  config.vm.define "upgrade-from-upstream" do |m1|
+    m1.vm.provision :shell, :inline => <<-SH
 source globals.sh || exit 1
 export PRIMARY_HOSTNAME=qa3.abc.com
 export UPSTREAM_TAG=master
 cd /mailinabox
-tests/system-setup/upgrade-from-upstream.sh basic; rc=$?
+tests/system-setup/upgrade-from-upstream.sh basic totpuser; rc=$?
 if [ $rc -eq 0 ]; then
-   tests/runner.sh default upgrade-basic; rc=$?
+   tests/runner.sh upgrade-basic upgrade-totpuser default; rc=$?
 fi
 echo "EXITCODE: $rc"
 SH
diff --git a/tests/vagrant/preloaded/.gitignore b/tests/vagrant/preloaded/.gitignore
new file mode 100644
index 00000000..fcb502a8
--- /dev/null
+++ b/tests/vagrant/preloaded/.gitignore
@@ -0,0 +1 @@
+*.box
diff --git a/tests/vagrant/preloaded/Vagrantfile b/tests/vagrant/preloaded/Vagrantfile
new file mode 100644
index 00000000..d80534b6
--- /dev/null
+++ b/tests/vagrant/preloaded/Vagrantfile
@@ -0,0 +1,19 @@
+
+Vagrant.configure("2") do |config|
+
+  config.vm.synced_folder "../../..", "/mailinabox", id: "mailinabox", automount: false
+
+  config.vm.define "preloaded-ubuntu-bionic64" do |m1|
+    m1.vm.box = "ubuntu/bionic64"
+    m1.vm.provision :shell, :inline => <<-SH
+cd /mailinabox
+tests/vagrant/preloaded/prepvm.sh --no-dry-run
+rc=$?
+echo "$rc" > "tests/vagrant/preloaded/prepcode.txt"
+[ $rc -gt 0 ] && exit 1
+exit 0
+SH
+  end
+
+
+end
diff --git a/tests/vagrant/preloaded/create_preloaded.sh b/tests/vagrant/preloaded/create_preloaded.sh
new file mode 100755
index 00000000..4666691f
--- /dev/null
+++ b/tests/vagrant/preloaded/create_preloaded.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+vagrant destroy -f
+rm -f prepcode.txt
+
+vagrant up preloaded-ubuntu-bionic64
+upcode=$?
+prepcode=$(cat "./prepcode.txt")
+rm -f prepcode.txt
+echo ""
+echo "VAGRANT UP RETURNED $upcode"
+echo "PREPVM RETURNED $prepcode"
+
+if [ "$prepcode" != "0" -o $upcode -ne 0 ]; then
+    echo "FAILED!!!!!!!!"
+    vagrant destroy -f
+    exit 1
+fi
+
+vagrant halt
+vagrant package
+rm -f preloaded.box
+mv package.box preloaded-ubuntu-bionic64.box
+
+vagrant destroy -f
diff --git a/tests/vagrant/preloaded/prepvm.sh b/tests/vagrant/preloaded/prepvm.sh
new file mode 100755
index 00000000..2892fe08
--- /dev/null
+++ b/tests/vagrant/preloaded/prepvm.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# Run this on a VM to pre-install all the packages, then
+# take a snapshot - it will greatly speed up subsequent
+# test installs
+
+#
+# What won't be installed:
+#
+# Nextcloud and Roundcube are downloaded with wget by the setup
+# scripts, so they are not included
+#
+# postfix, postgrey and slapd because they require terminal input
+#
+
+
+if [ ! -d "setup" ]; then
+    echo "Run from the miab root directory"
+    exit 1
+fi
+
+
+dry_run=true
+
+if [ "$1" == "--no-dry-run" ]; then
+    dry_run=false
+fi
+
+if $dry_run; then
+    echo "WARNING: dry run is TRUE, no changes will be made"
+fi
+
+
+remove_line_continuation() {
+    local file="$1"
+    awk '
+BEGIN            { C=0 } 
+C==1 && /[^\\]$/ { C=0; print $0; next } 
+C==1             { printf("%s",substr($0,0,length($0)-1)); next } 
+/\\$/            { C=1; printf("%s",substr($0,0,length($0)-1)); next } 
+                 { print $0 }' \
+                     "$file"
+}
+
+install_packages() {
+    while read line; do
+        pkgs=""
+        case "$line" in
+             apt_install* )
+                 pkgs="$(cut -c12- <<<"$line")"
+                 ;;
+             "apt-get install"* )
+                 pkgs="$(cut -c16- <<<"$line")"
+                 ;;
+             "apt install"* )
+                 pkgs="$(cut -c12- <<<"$line")"
+                 ;;
+        esac
+        
+        # don't install postfix - causes problems with setup scripts
+        # and requires user input. exclude postgrey because it will
+        # install postfix as a dependency
+        pkgs="$(sed 's/postgrey//g' <<< "$pkgs")"
+        pkgs="$(sed 's/postfix-[^ $]*//g' <<<"$pkgs")"
+        pkgs="$(sed 's/postfix//g' <<<"$pkgs")"
+
+        # don't install slapd - it requires user input
+        pkgs="$(sed 's/slapd//g' <<< "$pkgs")"
+        
+        if [ ! -z "$pkgs" ]; then
+            echo "install: $pkgs"
+            if ! $dry_run; then
+                apt-get install -y -qq $pkgs
+            fi
+        fi
+    done
+}
+
+if ! $dry_run; then
+    apt-get update -y
+    apt-get upgrade -y
+    apt-get autoremove -y
+fi
+
+for file in $(ls setup/*.sh); do
+    remove_line_continuation "$file" | install_packages
+done
+
+if ! $dry_run; then
+    # bonus
+    apt-get install -y -qq openssh-server
+    apt-get install -y -qq emacs-nox
+    apt-get install -y -qq ntpdate
+
+    # these are added by system-setup scripts and needed for test runner
+    apt-get install -y -qq python3-dnspython jq
+
+    # remove apache, which is what setup will do
+    apt-get -y -qq purge apache2 apache2-\*
+
+    echo ""
+    echo ""
+    echo "Done. Take a snapshot...."
+    echo ""
+fi
diff --git a/tests/vagrant/vanilla/.gitignore b/tests/vagrant/vanilla/.gitignore
new file mode 100644
index 00000000..69c190a0
--- /dev/null
+++ b/tests/vagrant/vanilla/.gitignore
@@ -0,0 +1,2 @@
+.vagrant
+*-console.log
diff --git a/tests/vagrant/vanilla/Vagrantfile b/tests/vagrant/vanilla/Vagrantfile
new file mode 100644
index 00000000..8e594afe
--- /dev/null
+++ b/tests/vagrant/vanilla/Vagrantfile
@@ -0,0 +1,28 @@
+
+Vagrant.configure("2") do |config|
+
+  config.vm.synced_folder "../../..", "/mailinabox", id: "mailinabox", automount: false
+  config.vm.provision "file", source:"../globals.sh", destination:"globals.sh"
+
+  # vanilla install
+
+  config.vm.define "vanilla" do |m1|
+    if File.file?("../preloaded/preloaded-ubuntu-bionic64.box")
+      m1.vm.box = "preloaded-ubuntu-bionic64"
+      m1.vm.box_url = "file://" + Dir.pwd + "/../preloaded/preloaded-ubuntu-bionic64.box"
+    else
+      m1.vm.box = "ubuntu/bionic64"
+    end
+    m1.vm.network "forwarded_port", guest:443, host:8443, protocol:"tcp"
+    m1.vm.provision :shell, :inline => <<-SH
+source globals.sh || exit 1
+export PRIMARY_HOSTNAME=vanilla.local
+export FEATURE_MUNIN=false
+cd /mailinabox
+tests/system-setup/vanilla.sh; rc=$?
+echo "EXITCODE: $rc"
+SH
+  end
+
+
+end
diff --git a/tools/mail.py b/tools/mail.py
index 215f39eb..f7d5b410 100755
--- a/tools/mail.py
+++ b/tools/mail.py
@@ -1,128 +1,3 @@
-#!/usr/bin/python3
-
-import sys, getpass, urllib.request, urllib.error, json, re
-
-def mgmt(cmd, data=None, is_json=False):
-	# The base URL for the management daemon. (Listens on IPv4 only.)
-	mgmt_uri = 'http://127.0.0.1:10222'
-
-	setup_key_auth(mgmt_uri)
-
-	req = urllib.request.Request(mgmt_uri + cmd, urllib.parse.urlencode(data).encode("utf8") if data else None)
-	try:
-		response = urllib.request.urlopen(req)
-	except urllib.error.HTTPError as e:
-		if e.code == 401:
-			try:
-				print(e.read().decode("utf8"))
-			except:
-				pass
-			print("The management daemon refused access. The API key file may be out of sync. Try 'service mailinabox restart'.", file=sys.stderr)
-		elif hasattr(e, 'read'):
-			print(e.read().decode('utf8'), file=sys.stderr)
-		else:
-			print(e, file=sys.stderr)
-		sys.exit(1)
-	resp = response.read().decode('utf8')
-	if is_json: resp = json.loads(resp)
-	return resp
-
-def read_password():
-    while True:
-        first = getpass.getpass('password: ')
-        if len(first) < 8:
-            print("Passwords must be at least eight characters.")
-            continue
-        second = getpass.getpass(' (again): ')
-        if first != second:
-            print("Passwords not the same. Try again.")
-            continue
-        break
-    return first
-
-def setup_key_auth(mgmt_uri):
-	key = open('/var/lib/mailinabox/api.key').read().strip()
-
-	auth_handler = urllib.request.HTTPBasicAuthHandler()
-	auth_handler.add_password(
-		realm='Mail-in-a-Box Management Server',
-		uri=mgmt_uri,
-		user=key,
-		passwd='')
-	opener = urllib.request.build_opener(auth_handler)
-	urllib.request.install_opener(opener)
-
-if len(sys.argv) < 2:
-	print("Usage: ")
-	print("  tools/mail.py user  (lists users)")
-	print("  tools/mail.py user add user@domain.com [password]")
-	print("  tools/mail.py user password user@domain.com [password]")
-	print("  tools/mail.py user remove user@domain.com")
-	print("  tools/mail.py user make-admin user@domain.com")
-	print("  tools/mail.py user remove-admin user@domain.com")
-	print("  tools/mail.py user admins (lists admins)")
-	print("  tools/mail.py alias  (lists aliases)")
-	print("  tools/mail.py alias add incoming.name@domain.com sent.to@other.domain.com")
-	print("  tools/mail.py alias add incoming.name@domain.com 'sent.to@other.domain.com, multiple.people@other.domain.com'")
-	print("  tools/mail.py alias remove incoming.name@domain.com")
-	print()
-	print("Removing a mail user does not delete their mail folders on disk. It only prevents IMAP/SMTP login.")
-	print()
-
-elif sys.argv[1] == "user" and len(sys.argv) == 2:
-	# Dump a list of users, one per line. Mark admins with an asterisk.
-	users = mgmt("/mail/users?format=json", is_json=True)
-	for domain in users:
-		for user in domain["users"]:
-			if user['status'] == 'inactive': continue
-			print(user['email'], end='')
-			if "admin" in user['privileges']:
-				print("*", end='')
-			print()
-
-elif sys.argv[1] == "user" and sys.argv[2] in ("add", "password"):
-	if len(sys.argv) < 5:
-		if len(sys.argv) < 4:
-			email = input("email: ")
-		else:
-			email = sys.argv[3]
-		pw = read_password()
-	else:
-		email, pw = sys.argv[3:5]
-
-	if sys.argv[2] == "add":
-		print(mgmt("/mail/users/add", { "email": email, "password": pw }))
-	elif sys.argv[2] == "password":
-		print(mgmt("/mail/users/password", { "email": email, "password": pw }))
-
-elif sys.argv[1] == "user" and sys.argv[2] == "remove" and len(sys.argv) == 4:
-	print(mgmt("/mail/users/remove", { "email": sys.argv[3] }))
-
-elif sys.argv[1] == "user" and sys.argv[2] in ("make-admin", "remove-admin") and len(sys.argv) == 4:
-	if sys.argv[2] == "make-admin":
-		action = "add"
-	else:
-		action = "remove"
-	print(mgmt("/mail/users/privileges/" + action, { "email": sys.argv[3], "privilege": "admin" }))
-
-elif sys.argv[1] == "user" and sys.argv[2] == "admins":
-	# Dump a list of admin users.
-	users = mgmt("/mail/users?format=json", is_json=True)
-	for domain in users:
-		for user in domain["users"]:
-			if "admin" in user['privileges']:
-				print(user['email'])
-
-elif sys.argv[1] == "alias" and len(sys.argv) == 2:
-	print(mgmt("/mail/aliases"))
-
-elif sys.argv[1] == "alias" and sys.argv[2] == "add" and len(sys.argv) == 5:
-	print(mgmt("/mail/aliases/add", { "address": sys.argv[3], "forwards_to": sys.argv[4] }))
-
-elif sys.argv[1] == "alias" and sys.argv[2] == "remove" and len(sys.argv) == 4:
-	print(mgmt("/mail/aliases/remove", { "address": sys.argv[3] }))
-
-else:
-	print("Invalid command-line arguments.")
-	sys.exit(1)
-
+#!/bin/bash
+# This script has moved.
+management/cli.py "$@"