56 lines
2.2 KiB
Plaintext
56 lines
2.2 KiB
Plaintext
MBOX-Line: From arnt at gulbrandsen.priv.no Mon Jan 18 06:11:06 2010
|
|
To: imap-protocol@u.washington.edu
|
|
From: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
|
|
Date: Fri Jun 8 12:34:43 2018
|
|
Subject: [yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?
|
|
In-Reply-To: <alpine.LSU.2.00.1001181332190.6203@hermes-2.csi.cam.ac.uk>
|
|
References: <9A584868-5961-4871-B32E-915394043727@sabahattin-gucukoglu.com>
|
|
<01NIK8RBBRJK004042@mauve.mrochek.com>
|
|
<NvmPpzLxQER/jAcfFP13kQ.md5@lochnagar.gulbrandsen.priv.no>
|
|
<6081A14A-42E5-4139-A57D-6DF01EF86BA7@iki.fi>
|
|
<TGqvOaec0Cbt2mg7bqct1w.md5@lochnagar.gulbrandsen.priv.no>
|
|
<alpine.LSU.2.00.1001181332190.6203@hermes-2.csi.cam.ac.uk>
|
|
Message-ID: <1fQ38Id/bDvQxBfPPns2Vg.md5@lochnagar.gulbrandsen.priv.no>
|
|
|
|
Tony Finch writes:
|
|
> On Mon, 18 Jan 2010, Arnt Gulbrandsen wrote:
|
|
>> Yeah. But I can't remember talking to anyone who really cared about
|
|
>> allowing cleartext imap inside the firewall.
|
|
>
|
|
> I'm not sure exactly what you mean here, but I have counter examples
|
|
> for two possible interpretations.
|
|
|
|
I meant that I can't remember speaking to anyone who REALLY WANTED to
|
|
allow unencrypted IMAP inside the firewall. Sorry about the lack of
|
|
clarity.
|
|
|
|
> If you mean that no one in your experience is worried by unencrypted
|
|
> access from local IP addresses, then we certainly are especially for
|
|
> wireless users.
|
|
|
|
Yes. I have also heard mutterings about ethernet jacks and ARP attacks,
|
|
although that may be more paranoia than realism.
|
|
|
|
> If you mean that no one in your experience enables unencrypted access
|
|
> from local IP addresses,
|
|
|
|
(On the contrary, people do, and I think it makes sense. A low-value
|
|
feature is worth using if it's also low-cost, right?)
|
|
|
|
> then I believe it's fairly common for universities to do so to avoid
|
|
> having to reconfigure thousands of desktop clients. It took us about
|
|
> a year to completely disable unencrypted access - we wanted to avoid
|
|
> huge spikes in support load.
|
|
|
|
Yes.
|
|
|
|
> With the right software it's fairly easy to restrict unencrypted
|
|
> logins to local wired networks.
|
|
|
|
Timo's mail made me think of a different approach: Immediately expire a
|
|
password if a server receives that password in clear text. Bang bang.
|
|
(Let me guess: The words "support spike" entered your mind now.)
|
|
|
|
Arnt
|
|
|