On Thu, 4 Jun 2020, Daniele Nicolodi via mailop wrote:
On 02/06/2020 02:41, Andrew C Aitchison via mailop wrote:
On Thu, 28 May 2020, Daniele Nicolodi asked:
The IT department of the organization that is pushing thins says that
modern authentication and disabling IMAP (over SSL) enhance security.
I don't see how this is the case. Does anyone have an opinion?
Phil Pennock replied:
PP> As to IMAP/TLS -- I know of no security reason to mandate disabling
PP> IMAP as opposed to any other access protocol. This sounds more like
PP> the traditional Outlook FUD-spreading re open protocols.
For the 95% or more of users who only use Microsoft clients and thus
don't use IMAP, disabling IMAP means that dictionary attacks over
ports 143 or 993 are impossible.
I don't see the gain as the same attacks are possible over a different
protocol. I don't think that eliminating IMAP (and keeping SMTP
submission as far as I know) reduces the attack surface. Am I missing
something?
Depends whether it is a dictionary attack or a zero-day exploit.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
