Re: [yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?

Timo Sirainen <> Mon, 18 January 2010 13:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E1ADF3A68E9 for <>; Mon, 18 Jan 2010 05:14:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oUCe4wobx7+Q for <>; Mon, 18 Jan 2010 05:14:18 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id DFCE03A659C for <>; Mon, 18 Jan 2010 05:14:17 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3522CFA8A54; Mon, 18 Jan 2010 15:14:12 +0200 (EET)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Timo Sirainen <>
In-Reply-To: <NvmPpzLxQER/>
Date: Mon, 18 Jan 2010 15:14:10 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <NvmPpzLxQER/>
To: Arnt Gulbrandsen <>
X-Mailer: Apple Mail (2.1077)
X-Mailman-Approved-At: Mon, 18 Jan 2010 06:44:26 -0800
Subject: Re: [yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Jan 2010 13:14:19 -0000

On 18.1.2010, at 13.22, Arnt Gulbrandsen wrote:

> Ned Freed writes:
>> The abscence of a technical justification doesn't mean no other sort of justification exists.
> I asked three admins about that in 2007, all said "we want all access to be encrypted and imaps/pop3s/smtps is the practical way to get that". Statistics isn't my field, three identical answers was enough for me, and I concluded that SSL wrapping will remain in use until mail servers offer configuration settings to allow/prevent plaintext access to mail.

Such setting doesn't help. Dovecot has had one since the beginning and people still configure it to give only imaps/pop3s access. I think there are two big reasons for this:

1) Clients are stupid and issue plaintext LOGIN command even if LOGINDISABLED is advertised. So with such clients it's easy to accidentally expose username and password.

2) It's easier to enforce "SSL-only" traffic in firewall rules based on ports. For example they'll keep both imap and imaps enabled, but only imaps is allowed outside intranet.

(And yeah, then there's probably the biggest reason that people just don't understand that imap/pop3 port supports SSL/TLS.)