On Thu, Jun 4, 2020 at 9:30 PM Daniele Nicolodi via mailop < mailop@mailop.org> wrote:
> On 02/06/2020 02:41, Andrew C Aitchison via mailop wrote: > > > > On Thu, 28 May 2020, Daniele Nicolodi asked: > >> The IT department of the organization that is pushing thins says that > >> modern authentication and disabling IMAP (over SSL) enhance security. > >> I don't see how this is the case. Does anyone have an opinion? > > > > Phil Pennock replied: > > PP> As to IMAP/TLS -- I know of no security reason to mandate disabling > > PP> IMAP as opposed to any other access protocol. This sounds more like > > PP> the traditional Outlook FUD-spreading re open protocols. > > > > For the 95% or more of users who only use Microsoft clients and thus > > don't use IMAP, disabling IMAP means that dictionary attacks over > > ports 143 or 993 are impossible. > > I don't see the gain as the same attacks are possible over a different > protocol. I don't think that eliminating IMAP (and keeping SMTP > submission as far as I know) reduces the attack surface. Am I missing > something? > The attack surface is definitely reduced, but maybe you mean it doesn't reduce the threat, and that is also true. Ie, having two ways to do something vs one is definitely reduced, just not eliminated. There's also a raft of things which target IMAP right now, and so eliminating that buys time before there is enough incentive to move the tools to the new surface. OTOH, 0365 is definitely popular enough that the tools will move. OTOOH, re-using the O365 web login surface means they were already protecting that and maybe they will have more resources to work on that. The longer list of things they included may also indicate their thinking, that IMAP is just one of a lot of protocols they aren't upgrading. Who knows what percentage of their users use each one as well, it's possible it really doesn't make sense, that some of those other ones actually have higher usage than IMAP. The weird thing to me is that I thought O365 and outlook.com already supported OAUTHBEARER (or equivalent). https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop