[yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?

Arnt Gulbrandsen arnt at gulbrandsen.priv.no
Mon Jan 18 06:11:06 PST 2010


Tony Finch writes:

> On Mon, 18 Jan 2010, Arnt Gulbrandsen wrote:

>> Yeah. But I can't remember talking to anyone who really cared about

>> allowing cleartext imap inside the firewall.

>

> I'm not sure exactly what you mean here, but I have counter examples

> for two possible interpretations.


I meant that I can't remember speaking to anyone who REALLY WANTED to
allow unencrypted IMAP inside the firewall. Sorry about the lack of
clarity.


> If you mean that no one in your experience is worried by unencrypted

> access from local IP addresses, then we certainly are especially for

> wireless users.


Yes. I have also heard mutterings about ethernet jacks and ARP attacks,
although that may be more paranoia than realism.


> If you mean that no one in your experience enables unencrypted access

> from local IP addresses,


(On the contrary, people do, and I think it makes sense. A low-value
feature is worth using if it's also low-cost, right?)


> then I believe it's fairly common for universities to do so to avoid

> having to reconfigure thousands of desktop clients. It took us about

> a year to completely disable unencrypted access - we wanted to avoid

> huge spikes in support load.


Yes.


> With the right software it's fairly easy to restrict unencrypted

> logins to local wired networks.


Timo's mail made me think of a different approach: Immediately expire a
password if a server receives that password in clear text. Bang bang.
(Let me guess: The words "support spike" entered your mind now.)

Arnt



More information about the Imap-protocol mailing list