Agree with everything Bill said here…especially “…unwisely run
organizations drinking vendor Kool-Aid…”
The better solution is using OAuth2 which I believe is supported in many
IMAP servers such as Dovecot.
With that in mind, seems like the big boys are creating a somewhat false
sense of urgency - what we typically called “FUD” in my SE days - so
as to peddle more of that Kool-Aid referenced above…
- - -
On 24 Jun 2021, at 20:21, Bill Cole wrote:
On 2021-06-24 at 20:35:55 UTC-0400 (Thu, 24 Jun 2021 17:35:55 -0700)
Harvey Leff <[email protected]>
is rumored to have said:
I had written earlier that my email provider (the university from
which I retired) stopped using IMAP, which would rule out use of
MailMate. They also stopped having a "Forward all mail" option so I
cannot move my mail to an IMAP-enabled site. I've complained, and the
response is below. I switched (with great difficulty) to gmail, which
of course uses IMAP and allows me to continue my love affair with
MailMate.
It seems that a prime alleged reason for their change is that IMAP
does not support 2-Factor authentication. Do any of you experts have
knowledge whether that claim is true and really limits security?
IMAP has no direct support for any form of 2FA because the way IMAP is
used typically involves multiple short-term authenticated sessions
with no persistent shared state across them. If you did 2FA directly
in IMAP with something like a code sent by SMS or generated by a TOTP
device or app (e.g. Google Authenticator or Duo,) you'd be
re-authenticating every few minutes, because IMAP does not have any
equivalent to HTTP cookies.
Some IMAP servers and clients (including MailMate) support an
authentication protocol called OAuth2, which delegates the
authentication to an external web-based protocol which generates
renewable access tokens that a client like MailMate can use for
authentication. OAuth2 token providers typically require 2FA. MailMate
uses OAuth2 to access GMail accounts via IMAP.
They are now implementing 2FA using a seemingly complicated system
called Duo. Anybody know about that type of 2FA?
Duo is a brand name for a proprietary 2FA system sold by Cisco
Systems. It does not directly support OAuth2 and as a proprietary
system there is no open standard for integrating it into IMAP (or POP
or SMTP.) It does work with Office365, and Office365 supposedly can be
an OAuth2 provider. I can't confirm that.
The university's reply is below if you are interested and willing to
read the claims. What I **DO** know is that the university replaced
its standard IMAP/SMTP server with Microsoft's proprietary
ActiveSync.
Cisco and Microsoft share an interest in selling proprietary software
that shuts out 3rd-party tools.
Beware, this might be an indicator of the future… Yikes!
I've heard that about Microsoft and email software before. I don't
think there's really anything to worry about in a universal sense,
just a substantial number of unwisely run organizations drinking
vendor Kool-Aid.
I can neither confirm or refute your university's assertions about
what Microsoft's Office365 IMAP service can support. I can say what MM
sees when it connects:
02:44:43 Trying to connect to outlook.office365.com on port 993
(CFNetwork) without STARTTLS (required)
02:44:43 Resolved hostname (outlook.office365.com).
02:44:43 Prepare secure connection...
02:44:43 Successful connection.
02:44:43 Initiating secure connection...
02:44:43 Returned (4)...
02:44:43 Protocol version: kTLSProtocol12
02:44:43 S: * OK The Microsoft Exchange IMAP4 service is ready.
[QwBIADIAUABSADEANQBDAEEAMAAwADEAMwAuAG4AYQBtAHAAcgBkADEANQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
02:44:43 C: A0 CAPABILITY
02:44:43 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2
SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
02:44:43 S: A0 OK CAPABILITY completed.
The "AUTH=XOAUTH2" bit there in the server's response to the IMAP
CAPABILITY command indicates support for the standard mechanism by
which IMAP can support OAuth2, potentially backed by 2FA of some
flavor. Whether that works, I can't say. Whether it can be made to
work with Duo as the specific 2FA solution, I cannot say. It is
interesting that MailMate does not use OAuth2 with Microsoft or Yahoo
accounts, even though both advertise support in their CAPABILITY
replies.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailmate mailing list
[email protected]
https://lists.freron.com/listinfo/mailmate
_______________________________________________
mailmate mailing list
[email protected]
https://lists.freron.com/listinfo/mailmate
