I forgot to mention, this should work with a single account that does incoming and outgoing by the way. The key there is to use the insecure=invite setting as this is what causes the 407. You will still authenticate on outgoing connections, just not incoming ones (which would seem to be what we want)
[provider.tld] ; incoming and outgoing
Havent really tested it in depth but pretty sure it was one of the things I had tried in arriving at the solution below.