greets!
my college understandably is leery of using POP3 though they seem quite
inamoured of IMAP. I am wondering if POP3 over SSL is a good answer to its
security issues. (the college's implementation of IMAP leaves something to
be desired for those of us not on Microsoft.)
Felmon
On Sat, 27 Jan 2007, felmon john davis wrote:
> my college understandably is leery of using POP3 though they seem quite
> inamoured of IMAP. I am wondering if POP3 over SSL is a good answer to its
> security issues. (the college's implementation of IMAP leaves something to
> be desired for those of us not on Microsoft.)
Security has nothing to do with the choice of POP3 vs. IMAP.
What is the DNS name of your IMAP server system? The notion of IMAP being
tied to Microsoft seems a bit bizarre. If you're trying to get away from
an Exchange server, there are excellent open source IMAP servers out there
without having to go to the extreme of switching to POP3.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
In news:pan.2007.01.27.18.48.40.597018@union.edu,
felmon john davis
> my college understandably is leery of using POP3 though they seem
> quite inamoured of IMAP.
*Any* protocol that transmits usernames and passwords in clear text is
inherently insecure by nature. pop3s and imaps are preferred by anyone who
cares and knows the difference.
On Sat, 27 Jan 2007, patrick wrote:
> *Any* protocol that transmits usernames and passwords in clear text is
> inherently insecure by nature. pop3s and imaps are preferred by anyone who
> cares and knows the difference.
Pop3s and imaps are certainly preferred over clear text password
authentication over pop3 and imap.
However, modern (as in 21st century) POP and IMAP servers do not permit
clear text password authentication in pop3 and imap. Instead, they
require that you either negotiate a non-cleartext authentication mechanism
(such as GSSAPI or CRAM-MD5 or DIGEST-MD5) or first negotiate TLS
authentication with the start-TLS command.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
On Sat, 27 Jan 2007 11:49:16 -0800, Mark Crispin wrote:
>
> On Sat, 27 Jan 2007, felmon john davis wrote:
>> my college understandably is leery of using POP3 though they seem quite
>> inamoured of IMAP. I am wondering if POP3 over SSL is a good answer to its
>> security issues. (the college's implementation of IMAP leaves something to
>> be desired for those of us not on Microsoft.)
>
> Security has nothing to do with the choice of POP3 vs. IMAP.
>
> What is the DNS name of your IMAP server system? The notion of IMAP being
> tied to Microsoft seems a bit bizarre.
it is tied to Microsoft by the College's ITS people, not me. that's what
they use, Exchange.
> If you're trying to get away from
> an Exchange server, there are excellent open source IMAP servers out there
> without having to go to the extreme of switching to POP3.
I hope I have clarified? it is not up to me, it's the College which is
using Exchange, etc.
I am having an argument about using POP. they haven't been very explicit
so I am _assuming_ they don't offer it because of security concerns. I
want to argue the secure version - another poster referred to it as POP3s
- is secure.
Felmon
On Sat, 27 Jan 2007 18:04:44 -0800, Mark Crispin wrote:
> On Sat, 27 Jan 2007, patrick wrote:
>> *Any* protocol that transmits usernames and passwords in clear text is
>> inherently insecure by nature. pop3s and imaps are preferred by anyone who
>> cares and knows the difference.
>
> Pop3s and imaps are certainly preferred over clear text password
> authentication over pop3 and imap.
>
> However, modern (as in 21st century) POP and IMAP servers do not permit
> clear text password authentication in pop3 and imap. Instead, they
> require that you either negotiate a non-cleartext authentication mechanism
> (such as GSSAPI or CRAM-MD5 or DIGEST-MD5) or first negotiate TLS
> authentication with the start-TLS command.
apologies! I referred to you as 'another poster' in another post of mine!
so you are saying POP3s is secure but these other encryption schemes are
even better?
I don't think I am in a position to argue with the College people about
the matter (allowing POP3s or some secure variation of POP), but I do want
to know enough to at least recognize the smoke they may try to blow.
Felmon
On Sun, 28 Jan 2007, felmon john davis wrote:
> so you are saying POP3s is secure but these other encryption schemes are
> even better?
pop3s and imaps use SSL, which is an older means of encryption. The
modern mechanism is TLS, which unlike SSL does not not require a separate
port (it does require a start-TLS command to enter encrypted mode).
Modern POP3 and IMAP servers support both SSL and TLS.
> I don't think I am in a position to argue with the College people about
> the matter (allowing POP3s or some secure variation of POP), but I do want
> to know enough to at least recognize the smoke they may try to blow.
There are many reasons to choose IMAP over POP. Security is not relevant
to those reasons.
If your college runs Exchange, their reasons are probably those of
Exchange vs. UNIX-based servers, and not IMAP vs. POP. I am not a good
person to ask about why someone would want to do this. I'll just say that
Exchange does an excellent job at being Exchange; and there are cases in
which Exchange is the right answer.
I know that Exchange has an IMAP server. Early versions of Exchange's
IMAP server had problems, but modern versions do a much better job. I
don't know if Exchange has a POP server or not.
The only reason that I can see for a user choosing to use a POP3 server
instead of an IMAP server is if he has a very old client that is
POP3-only. 10 years ago, this was a common problem; but today, just about
every email client program supports both POP3 and IMAP.
It is true that some IMAP clients are very poor. But, in the IMAP world,
"very poor" equates to "treats IMAP like POP3 instead of using IMAP
capabilities."
IMAP is a functional superset of POP3. You don't gain anything (and you
lose a lot) by using POP3 instead of IMAP.
Perhaps if you told us why you want to use POP3 instead of IMAP, we might
be able to clarify things for you.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
On Sat, 27 Jan 2007 23:50:52 -0800, Mark Crispin
wrote:
>The only reason that I can see for a user choosing to use a POP3 server
>instead of an IMAP server is if he has a very old client that is
>POP3-only.
Mark invented IMAP. It's possible that he isn't completely impartial.
--
Steve Baker
On Sun, 28 Jan 2007 01:44:26 -0500, felmon john davis wrote:
>> What is the DNS name of your IMAP server system? The notion of IMAP being
>> tied to Microsoft seems a bit bizarre.
> it is tied to Microsoft by the College's ITS people, not me. that's what
> they use, Exchange.
As long as the "IMAP internet service" (or whatever that part of
Exchange is called exactly) is running on the server there's no
problem in accessing the Exchange server with any IMAP capable MUA.
gregor
--
.''`. http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4
: :' : debian: the universal operating system - http://www.debian.org/
`. `' member of https://www.vibe.at/ | how to reply: http://got.to/quote/
`- NP: Kurt Ostbahn & Kombo: Liegn oda knian
On Sun, 28 Jan 2007, Steve Baker wrote:
>> The only reason that I can see for a user choosing to use a POP3 server
>> instead of an IMAP server is if he has a very old client that is
>> POP3-only.
> Mark invented IMAP. It's possible that he isn't completely impartial.
That is true. However, IMAP is a complete functional superset of POP3.
Thus, it is difficult to find an argument for a user to prefer a POP3
server over an IMAP server if the user's client supports both protocols.
There are relatively few POP3-only clients today. Even Eudora (a
long-time holdout) has IMAP support these days.
There is a reason for a site to prefer a POP3 server over an IMAP server:
Most POP3 clients download all messages to the client and then delete them
from the server. Some POP3 servers automatically delete all messages from
the server when the session is closed, even if the POP3 client did not
request that the messages be deleted.
Such behavior is a violation of the POP3 protocol, but these servers do it
anyway as a matter of site policy to stymie POP3 clients which are set to
"leave messages on server."
An IMAP server would not be able to get away with such behavior.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
On Sat, 27 Jan 2007 23:50:52 -0800, Mark Crispin wrote:
> Subject: Re: how (in)secure is pop?
> From: Mark Crispin
> Newsgroups: comp.mail.misc
> Date: Sat, 27 Jan 2007 23:50:52 -0800
>
> On Sun, 28 Jan 2007, felmon john davis wrote:
>> so you are saying POP3s is secure but these other encryption schemes are
>> even better?
>
> pop3s and imaps use SSL, which is an older means of encryption. The
> modern mechanism is TLS, which unlike SSL does not not require a separate
> port (it does require a start-TLS command to enter encrypted mode).
>
> Modern POP3 and IMAP servers support both SSL and TLS.
>
>> I don't think I am in a position to argue with the College people about
>> the matter (allowing POP3s or some secure variation of POP), but I do want
>> to know enough to at least recognize the smoke they may try to blow.
>
> There are many reasons to choose IMAP over POP. Security is not relevant
> to those reasons.
>
> If your college runs Exchange, their reasons are probably those of
> Exchange vs. UNIX-based servers, and not IMAP vs. POP. I am not a good
> person to ask about why someone would want to do this. I'll just say that
> Exchange does an excellent job at being Exchange; and there are cases in
> which Exchange is the right answer.
the College uses Exchange server. I do not know all of their reasons for
the recent conversion.
> I know that Exchange has an IMAP server. Early versions of Exchange's
> IMAP server had problems, but modern versions do a much better job. I
> don't know if Exchange has a POP server or not.
>
> The only reason that I can see for a user choosing to use a POP3 server
> instead of an IMAP server is if he has a very old client that is
> POP3-only. 10 years ago, this was a common problem; but today, just about
> every email client program supports both POP3 and IMAP.
a couple of my colleagues do use Eudora but as you say, the newer versions
are IMAP-capable.
one person in particular (a close acquaintance so I know his issues)
complains about
(a) being able to download messages to his own computer
(b) the slowness of the search function
(c) the poor browser interface.
I assume (c) is not per se an IMAP issue. as I understand his issue with
(a), he is finding simply that he cannot get bunches of his messages to
his pc. he likes having his collection (archive) of email on his own
machine where he can search quickly.
perhaps he is experiencing a poor implementation of IMAP or
misconfiguration of the server?
(I have the College ship my email to gmail and download it to my office
and my home machine via fetchmail so I have the same stores at different
locations. I too want my email on my owm machines. I don't use Eudora but
Pine under SuSE.)
> It is true that some IMAP clients are very poor. But, in the IMAP
> world, "very poor" equates to "treats IMAP like POP3 instead of using
> IMAP capabilities."
>
> IMAP is a functional superset of POP3. You don't gain anything (and you
> lose a lot) by using POP3 instead of IMAP.
I am not clear about the advantages of IMAP over what I do now.
> Perhaps if you told us why you want to use POP3 instead of IMAP, we
> might be able to clarify things for you.
I believe the archiving I mentioned above is a main use. I cannot comment
from personal experience about slowness of searches since, as I said, I
basically 'export' my email off the system. I am not, however, fully
content with that (because of privacy implications of gmail).
I cannot access the server from home or not without some gyrations (VPN or
SSH to office machine in order to get on the College network) so there are
barriers to cross....
very instructive! I appreciate your advice.
Felmon
On Sun, 28 Jan 2007 17:09:54 +0100, gregor herrmann wrote:
>
> As long as the "IMAP internet service" (or whatever that part of
> Exchange is called exactly) is running on the server there's no
> problem in accessing the Exchange server with any IMAP capable MUA.
actually I cannot, not from home, except via VPN or SSH; using the latter
I would, I think, ssh in and then use Pine or something to connect to the
network.
there is a web interface but - and this is probably the fault of ITS here
- it is slow and clumsy. (however I believe people say it is fine if you
are using Internet Explorer.)
Felmon
On Tue, 30 Jan 2007, felmon john davis wrote:
> one person in particular (a close acquaintance so I know his issues)
> complains about
> (a) being able to download messages to his own computer
That isn't a limitation of IMAP or of the IMAP server. It may be a
limitation of the user's IMAP client.
Or, perhaps, the user just doesn't know how to do it in the IMAP client.
What client does the user use?
> (b) the slowness of the search function
Search in most IMAP servers should be instanteous for all but very large
(5-digit message count) mailboxes.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
On Tue, 30 Jan 2007 08:45:35 -0800, Mark Crispin wrote:
> Subject: Re: how (in)secure is pop?
> From: Mark Crispin
> Newsgroups: comp.mail.misc
> Date: Tue, 30 Jan 2007 08:45:35 -0800
>
> On Tue, 30 Jan 2007, felmon john davis wrote:
>> one person in particular (a close acquaintance so I know his issues)
>> complains about
>> (a) being able to download messages to his own computer
>
> That isn't a limitation of IMAP or of the IMAP server. It may be a
> limitation of the user's IMAP client.
>
> Or, perhaps, the user just doesn't know how to do it in the IMAP client.
> What client does the user use?
he is using a new (the newest? I will have to ask) version of Eudora.
>> (b) the slowness of the search function
>
> Search in most IMAP servers should be instanteous for all but very large
> (5-digit message count) mailboxes.
he's only searching through his emails.
he is experiencing his problems on a couple of his systems, at least one
or two running XP and one running ME. (he is willing to confess the
weaknesses of ME.)
I believe he is not alone but I may find out more tomorrow as a meeting is
being held where some folks with problems, including email-related, will
pow-wow.
so it is clear you believe his problems are configuration-related either
on his side or server-side, perhaps a weakness of his implementation of
Eudora.
I was using Pine for a while on the system but too briefly and in too
limited a way to encounter these issues.
Felmon
On Tue, 30 Jan 2007, felmon john davis wrote:
> so it is clear you believe his problems are configuration-related either
> on his side or server-side, perhaps a weakness of his implementation of
> Eudora.
Unfortunately, I don't know much about Eudora, how to configure it, or how
it does searches. However, there are a number of Eudora users out there,
including people who read this newsgroup, who can probably pipe in and
offer assistance.
I'm sure that there must be some way in Eudora to configure an IMAP
session to download the messages to the local hard drive.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
On Tue, 30 Jan 2007 12:25:48 -0800, Mark Crispin wrote:
> On Tue, 30 Jan 2007, felmon john davis wrote:
>> so it is clear you believe his problems are configuration-related either
>> on his side or server-side, perhaps a weakness of his implementation of
>> Eudora.
>
> Unfortunately, I don't know much about Eudora, how to configure it, or how
> it does searches. However, there are a number of Eudora users out there,
> including people who read this newsgroup, who can probably pipe in and
> offer assistance.
>
> I'm sure that there must be some way in Eudora to configure an IMAP
> session to download the messages to the local hard drive.
ok. some key things I got out of this useful conversation.
(a) as far as IMAP goes, my colleague should look to problems with
Eudora (though server-side issues are not to be ruled out?);
(b) whatever the reasons not to use POP are, they are not
security-related. (a _very_ important fact for our purposes.)
thank you.
Felmon