Timo Sirainen writes:
> Such setting doesn't help.
Such a setting is cecessary, not sufficient.
> Dovecot has had one since the beginning and people still configure it
> to give only imaps/pop3s access. I think there are two big reasons
> for this:
>
> 1) Clients are stupid and issue plaintext LOGIN command even if
> LOGINDISABLED is advertised. So with such clients it's easy to
> accidentally expose username and password.
Good point.
> 2) It's easier to enforce "SSL-only" traffic in firewall rules based
> on ports. For example they'll keep both imap and imaps enabled, but
> only imaps is allowed outside intranet.
Yeah. But I can't remember talking to anyone who really cared about
allowing cleartext imap inside the firewall.
Sites are all over the map on this. Some have no problem with cleartext
everything inside the firewall while others have mandates that require
a security layer on literally every protocol and every connection.
Then there's the whole wireless thing - sites often have very different
policies for wired versus wireless and all sorts of different arrangements are
used.
Ned
_______________________________________________
yam mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/yam
