Timo Sirainen writes:
Such setting doesn't help.
Such a setting is cecessary, not sufficient.
Dovecot has had one since the beginning and people still configure it
to give only imaps/pop3s access. I think there are two big reasons
for this:
1) Clients are stupid and issue plaintext LOGIN command even if
LOGINDISABLED is advertised. So with such clients it's easy to
accidentally expose username and password.
Good point.
2) It's easier to enforce "SSL-only" traffic in firewall rules based
on ports. For example they'll keep both imap and imaps enabled, but
only imaps is allowed outside intranet.
Yeah. But I can't remember talking to anyone who really cared about
allowing cleartext imap inside the firewall.
(And yeah, then there's probably the biggest reason that people just
don't understand that imap/pop3 port supports SSL/TLS.)
Which I think would change if servers generally would support
encrypted-only = true
As it is, people aren't used to looking for such a setting, and if they
call their clueful pal to ask how blah, he'll say "enable imaps", not
"enable encrypted-only".
Arnt
_______________________________________________
yam mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/yam
