Re: [yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?

Arnt Gulbrandsen <> Mon, 18 January 2010 14:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 93A933A6A10 for <>; Mon, 18 Jan 2010 06:11:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.459
X-Spam-Status: No, score=-2.459 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ThGzEZS-jjBN for <>; Mon, 18 Jan 2010 06:11:07 -0800 (PST)
Received: from ( [IPv6:2001:4d88:100c::1]) by (Postfix) with ESMTP id 559633A69C4 for <>; Mon, 18 Jan 2010 06:11:06 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 8F3E7FA0552; Mon, 18 Jan 2010 14:11:01 +0000 (UTC)
Received: from (HELO by (Archiveopteryx 3.1.3) with esmtp id 1263823669-45839-45838/5/32 (2 recipients); Mon, 18 Jan 2010 15:07:49 +0100
Message-Id: <1fQ38Id/>
Date: Mon, 18 Jan 2010 15:11:06 +0100
From: Arnt Gulbrandsen <>
References: <> <> <NvmPpzLxQER/> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; format="flowed"
Mime-Version: 1.0
Subject: Re: [yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Jan 2010 14:11:10 -0000

Tony Finch writes:
> On Mon, 18 Jan 2010, Arnt Gulbrandsen wrote:
>> Yeah. But I can't remember talking to anyone who really cared about 
>> allowing cleartext imap inside the firewall.
> I'm not sure exactly what you mean here, but I have counter examples 
> for two possible interpretations.

I meant that I can't remember speaking to anyone who REALLY WANTED to 
allow unencrypted IMAP inside the firewall. Sorry about the lack of 

> If you mean that no one in your experience is worried by unencrypted 
> access from local IP addresses, then we certainly are especially for 
> wireless users.

Yes. I have also heard mutterings about ethernet jacks and ARP attacks, 
although that may be more paranoia than realism.

> If you mean that no one in your experience enables unencrypted access 
> from local IP addresses,

(On the contrary, people do, and I think it makes sense. A low-value 
feature is worth using if it's also low-cost, right?)

> then I believe it's fairly common for universities to do so to avoid 
> having to reconfigure thousands of desktop clients. It took us about 
> a year to completely disable unencrypted access - we wanted to avoid 
> huge spikes in support load.


> With the right software it's fairly easy to restrict unencrypted 
> logins to local wired networks.

Timo's mail made me think of a different approach: Immediately expire a 
password if a server receives that password in clear text. Bang bang. 
(Let me guess: The words "support spike" entered your mind now.)