IETF Logo Mail Archive

Re: [yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?

Arnt Gulbrandsen <arnt@gulbrandsen.priv.no> Mon, 18 January 2010 13:26 UTC

Return-Path: <arnt@gulbrandsen.priv.no>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A67E3A68F2 for <yam@core3.amsl.com>; Mon, 18 Jan 2010 05:26:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.44
X-Spam-Level:
X-Spam-Status: No, score=-2.44 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8goDZR1KL91 for <yam@core3.amsl.com>; Mon, 18 Jan 2010 05:26:35 -0800 (PST)
Received: from strange.aox.org (strange.aox.org [IPv6:2001:4d88:100c::1]) by core3.amsl.com (Postfix) with ESMTP id 68EEA3A659B for <yam@ietf.org>; Mon, 18 Jan 2010 05:26:35 -0800 (PST)
Received: from fri.gulbrandsen.priv.no (kalyani.aox.org [79.140.39.164]) by strange.aox.org (Postfix) with ESMTP id C43DEFA058F; Mon, 18 Jan 2010 13:26:30 +0000 (UTC)
Received: from arnt@gulbrandsen.priv.no (HELO lochnagar.gulbrandsen.priv.no) by fri.gulbrandsen.priv.no (Archiveopteryx 3.1.3) with esmtp id 1263820998-45839-45838/5/30 (2 recipients); Mon, 18 Jan 2010 14:23:18 +0100
Message-Id: <TGqvOaec0Cbt2mg7bqct1w.md5@lochnagar.gulbrandsen.priv.no>
Date: Mon, 18 Jan 2010 14:26:36 +0100
From: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
To: imap-protocol@u.washington.edu, yam@ietf.org
References: <9A584868-5961-4871-B32E-915394043727@sabahattin-gucukoglu.com> <01NIK8RBBRJK004042@mauve.mrochek.com> <NvmPpzLxQER/jAcfFP13kQ.md5@lochnagar.gulbrandsen.priv.no> <6081A14A-42E5-4139-A57D-6DF01EF86BA7@iki.fi>
In-Reply-To: <6081A14A-42E5-4139-A57D-6DF01EF86BA7@iki.fi>
Content-Type: text/plain; format="flowed"
Mime-Version: 1.0
Subject: Re: [yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jan 2010 13:26:36 -0000

Timo Sirainen writes:
> Such setting doesn't help.

Such a setting is cecessary, not sufficient.

> Dovecot has had one since the beginning and people still configure it 
> to give only imaps/pop3s access. I think there are two big reasons 
> for this:
>
> 1) Clients are stupid and issue plaintext LOGIN command even if 
> LOGINDISABLED is advertised. So with such clients it's easy to 
> accidentally expose username and password.

Good point.

> 2) It's easier to enforce "SSL-only" traffic in firewall rules based 
> on ports. For example they'll keep both imap and imaps enabled, but 
> only imaps is allowed outside intranet.

Yeah. But I can't remember talking to anyone who really cared about 
allowing cleartext imap inside the firewall.

> (And yeah, then there's probably the biggest reason that people just 
> don't understand that imap/pop3 port supports SSL/TLS.)

Which I think would change if servers generally would support
      encrypted-only = true
As it is, people aren't used to looking for such a setting, and if they 
call their clueful pal to ask how blah, he'll say "enable imaps", not 
"enable encrypted-only".

Arnt

v2.14.0 | Report a Bug | By Email