On 02/06/2020 02:41, Andrew C Aitchison via mailop wrote: > > On Thu, 28 May 2020, Daniele Nicolodi asked: >> The IT department of the organization that is pushing thins says that >> modern authentication and disabling IMAP (over SSL) enhance security. >> I don't see how this is the case. Does anyone have an opinion? > > Phil Pennock replied: > PP> As to IMAP/TLS -- I know of no security reason to mandate disabling > PP> IMAP as opposed to any other access protocol. This sounds more like > PP> the traditional Outlook FUD-spreading re open protocols. > > For the 95% or more of users who only use Microsoft clients and thus > don't use IMAP, disabling IMAP means that dictionary attacks over > ports 143 or 993 are impossible.
I don't see the gain as the same attacks are possible over a different protocol. I don't think that eliminating IMAP (and keeping SMTP submission as far as I know) reduces the attack surface. Am I missing something? Cheers, Dan _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
