[yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?
arnt at gulbrandsen.priv.no
Mon Jan 18 06:11:06 PST 2010
Tony Finch writes:
> On Mon, 18 Jan 2010, Arnt Gulbrandsen wrote:
>> Yeah. But I can't remember talking to anyone who really cared about
>> allowing cleartext imap inside the firewall.
> I'm not sure exactly what you mean here, but I have counter examples
> for two possible interpretations.
I meant that I can't remember speaking to anyone who REALLY WANTED to
allow unencrypted IMAP inside the firewall. Sorry about the lack of
> If you mean that no one in your experience is worried by unencrypted
> access from local IP addresses, then we certainly are especially for
> wireless users.
Yes. I have also heard mutterings about ethernet jacks and ARP attacks,
although that may be more paranoia than realism.
> If you mean that no one in your experience enables unencrypted access
> from local IP addresses,
(On the contrary, people do, and I think it makes sense. A low-value
feature is worth using if it's also low-cost, right?)
> then I believe it's fairly common for universities to do so to avoid
> having to reconfigure thousands of desktop clients. It took us about
> a year to completely disable unencrypted access - we wanted to avoid
> huge spikes in support load.
> With the right software it's fairly easy to restrict unencrypted
> logins to local wired networks.
Timo's mail made me think of a different approach: Immediately expire a
password if a server receives that password in clear text. Bang bang.
(Let me guess: The words "support spike" entered your mind now.)
More information about the Imap-protocol