[Imap-protocol] Re: [yam] draft-daboo-srv-email: POP3S/IMAPS?

Arnt Gulbrandsen arnt at gulbrandsen.priv.no
Mon Jan 18 05:26:36 PST 2010

Timo Sirainen writes:

> Such setting doesn't help.

Such a setting is cecessary, not sufficient.

> Dovecot has had one since the beginning and people still configure it

> to give only imaps/pop3s access. I think there are two big reasons

> for this:


> 1) Clients are stupid and issue plaintext LOGIN command even if

> LOGINDISABLED is advertised. So with such clients it's easy to

> accidentally expose username and password.

Good point.

> 2) It's easier to enforce "SSL-only" traffic in firewall rules based

> on ports. For example they'll keep both imap and imaps enabled, but

> only imaps is allowed outside intranet.

Yeah. But I can't remember talking to anyone who really cared about
allowing cleartext imap inside the firewall.

> (And yeah, then there's probably the biggest reason that people just

> don't understand that imap/pop3 port supports SSL/TLS.)

Which I think would change if servers generally would support
encrypted-only = true
As it is, people aren't used to looking for such a setting, and if they
call their clueful pal to ask how blah, he'll say "enable imaps", not
"enable encrypted-only".


More information about the Imap-protocol mailing list