one thing that I think would be useful for a webmailer would be a way to decouple the password you use on the webmailer from the one for the mail server, as in most configurations, where the mailserver itself is exposed, having any sort of protection, be it a captcha or a 2FA becones near-useless as the mailserver could just be attacked, so one idea would be to not even use the mail server password for login but to be able to change it on the webmailer to something "user friendly" while the mail server itself keeps a strong random password as that would be rarely needed as these are usually saved when e.g. setting up mail clients, while a webmailer is more expected for users to be logging into.

heck 2FA can also become a weakpoint as even with 2FA enabled, an attacker will still be able to see that a given password is correct as that is evaluated on its own.

on that note one could even go a step further and allow passwordless login using passkeys.

I am not sure how the passwords of other accounts are stored but if they are dependent on the password of the main user, the hmac-secret functionality can be useful as that allows you to get a static key by providing a string that as long as it doesnt change, will always yield the same result, giving you a key for en/decryption.