[Imap-protocol] Re: [yam] draft-daboo-srv-email: POP3S/IMAPS?

Arnt Gulbrandsen arnt at gulbrandsen.priv.no
Mon Jan 18 05:26:36 PST 2010


Timo Sirainen writes:

> Such setting doesn't help.


Such a setting is cecessary, not sufficient.


> Dovecot has had one since the beginning and people still configure it

> to give only imaps/pop3s access. I think there are two big reasons

> for this:

>

> 1) Clients are stupid and issue plaintext LOGIN command even if

> LOGINDISABLED is advertised. So with such clients it's easy to

> accidentally expose username and password.


Good point.


> 2) It's easier to enforce "SSL-only" traffic in firewall rules based

> on ports. For example they'll keep both imap and imaps enabled, but

> only imaps is allowed outside intranet.


Yeah. But I can't remember talking to anyone who really cared about
allowing cleartext imap inside the firewall.


> (And yeah, then there's probably the biggest reason that people just

> don't understand that imap/pop3 port supports SSL/TLS.)


Which I think would change if servers generally would support
encrypted-only = true
As it is, people aren't used to looking for such a setting, and if they
call their clueful pal to ask how blah, he'll say "enable imaps", not
"enable encrypted-only".

Arnt



More information about the Imap-protocol mailing list