[Imap-protocol] Re: [yam] draft-daboo-srv-email: POP3S/IMAPS?

Timo Sirainen tss at iki.fi
Mon Jan 18 05:14:10 PST 2010


On 18.1.2010, at 13.22, Arnt Gulbrandsen wrote:


> Ned Freed writes:

>> The abscence of a technical justification doesn't mean no other sort of justification exists.

>

> I asked three admins about that in 2007, all said "we want all access to be encrypted and imaps/pop3s/smtps is the practical way to get that". Statistics isn't my field, three identical answers was enough for me, and I concluded that SSL wrapping will remain in use until mail servers offer configuration settings to allow/prevent plaintext access to mail.


Such setting doesn't help. Dovecot has had one since the beginning and people still configure it to give only imaps/pop3s access. I think there are two big reasons for this:

1) Clients are stupid and issue plaintext LOGIN command even if LOGINDISABLED is advertised. So with such clients it's easy to accidentally expose username and password.

2) It's easier to enforce "SSL-only" traffic in firewall rules based on ports. For example they'll keep both imap and imaps enabled, but only imaps is allowed outside intranet.

(And yeah, then there's probably the biggest reason that people just don't understand that imap/pop3 port supports SSL/TLS.)


More information about the Imap-protocol mailing list