Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Wesley Craig
On 13 Feb 2009, at 04:23, Ian Batten wrote: > Security isn't about protocols, it's about systems, and I suspect POP3 > vs IMAP is metonymic for local vs remote mail storage. Also keep in mind that IMAP can be used just like POP, i.e., you can use IMAP to download & remove all mail from the serve

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Vincent Fox
David Lang wrote: > > the flip side of the complience issue is that it's a LOT easier to control > retention policies (including backups) on a central server than on > everybody's > individual desktops/laptops. > > as for the concerns about laxer data security in other juristictions, that's > s

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread David Lang
On Fri, 13 Feb 2009, Ian Batten wrote: > On 13 Feb 09, at 0149, Joseph Brennan wrote: >> >> The protocol itself is no less secure than POP. > > Security isn't about protocols, it's about systems, and I suspect POP3 > vs IMAP is metonymic for local vs remote mail storage. > > I can see an argument

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Dennis Davis
On Fri, 13 Feb 2009, Alain Williams wrote: > From: Alain Williams > To: Cyrus Mailing List > Date: Fri, 13 Feb 2009 15:30:46 + > Subject: Re: Security risk of POP3 & IMAP protocols ... > > Yes. Anything that opens a bunch of mailboxes at the same time > > might be doing way more than that.

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Ian Eiloart
--On 13 February 2009 15:30:46 + Alain Williams wrote: > [23~On Fri, Feb 13, 2009 at 03:21:06PM +, Ian Eiloart wrote: >> >> >> --On 13 February 2009 14:35:43 + Alain Williams >> wrote: >> >> > That got me thinking >> > I rate limit ssh connections to try to prevent dictionary

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Jorey Bump
Alain Williams wrote, at 02/13/2009 10:30 AM: > [23~On Fri, Feb 13, 2009 at 03:21:06PM +, Ian Eiloart wrote: >> >> --On 13 February 2009 14:35:43 + Alain Williams >> wrote: >> >>> That got me thinking >>> I rate limit ssh connections to try to prevent dictionary attacks (3 >>> attemp

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Alain Williams
[23~On Fri, Feb 13, 2009 at 03:21:06PM +, Ian Eiloart wrote: > > > --On 13 February 2009 14:35:43 + Alain Williams > wrote: > > >That got me thinking > >I rate limit ssh connections to try to prevent dictionary attacks (3 > >attempts/3 minutes/IP address). If I were to do the same

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Jason Voorhees
On Thu, Feb 12, 2009 at 5:49 PM, Jason Voorhees wrote: > Hi people: > > A friend of mine is asking me about security risks of using IMAP & > POP3 protocols. Why? Because a sales person told my friend that IMAP > protocol is less secure than POP3 protocol. This assumption is not > related to Cyrus

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Ian Eiloart
--On 13 February 2009 14:35:43 + Alain Williams wrote: > That got me thinking > I rate limit ssh connections to try to prevent dictionary attacks (3 > attempts/3 minutes/IP address). If I were to do the same with IMAP would > that cause problems with some clients, ie are there some cl

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Dave McMurtrie
Alain Williams wrote: > That got me thinking > I rate limit ssh connections to try to prevent dictionary attacks (3 > attempts/3 minutes/IP address). > If I were to do the same with IMAP would that cause problems with some > clients, > ie are there some clients that to many connect/disconne

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Alain Williams
On Fri, Feb 13, 2009 at 09:13:40AM -0500, Adam Tauno Williams wrote: > On Fri, 2009-02-13 at 13:17 +, Duncan Gibb wrote: > > Jason Voorhees wrote: > > JV> a sales person told my friend that IMAP protocol is > > JV> less secure than POP3 protocol. > > Other people have covered the IMAP vs POP3 i

[OT] Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Duncan Gibb
Adam Tauno Williams wrote: JV> a sales person told my friend that IMAP protocol is JV> less secure than POP3 protocol. ATW> It is really far and away more about end-to-end security ATW> practices than it is the OSI layer 7 protocol(s) involved. Indeed. ATW> I stand by my assertion that the IMAP

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Adam Tauno Williams
On Fri, 2009-02-13 at 13:17 +, Duncan Gibb wrote: > Jason Voorhees wrote: > JV> a sales person told my friend that IMAP protocol is > JV> less secure than POP3 protocol. > Other people have covered the IMAP vs POP3 issues - Ian Batten most > comprehensively - but one comment I would add is that

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Duncan Gibb
Jason Voorhees wrote: JV> a sales person told my friend that IMAP protocol is JV> less secure than POP3 protocol. Other people have covered the IMAP vs POP3 issues - Ian Batten most comprehensively - but one comment I would add is that if you make either service available to the open internet, ev

Re: Security risk of POP3 & IMAP protocols

2009-02-13 Thread Ian Batten
On 13 Feb 09, at 0149, Joseph Brennan wrote: > > The protocol itself is no less secure than POP. Security isn't about protocols, it's about systems, and I suspect POP3 vs IMAP is metonymic for local vs remote mail storage. I can see an argument that says that one problem with IMAP is that yo