Educause Security Discussion mailing list archives

Re: Blocking POP3 and IMAP

From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Thu, 11 Oct 2007 11:49:36 -0700

Hammon, Gary wrote:

I recently joined the Security listserv, and searched the archives
looking for any trend regarding blocking inbound POP3 and IMAP.

We think we have finally moved beyond any 'business need' to allow these
protocols for email. We have an Exchange environment that has web access
etc., but there are a small number of folks who simply prefer not to change.

I am hoping that I can say that it would be a best practice to eliminate
the POP3 and IMAP protocols.

I am hoping that other institutions have already started to eliminate
the protocols, or know that it is a good idea/best practice to eliminate
these protocols (ignoring the political firestorm of course!).

Thank you for any feedback on this,


Welcome, Gary!

I don't really want to burst your bubble, but my personal feeling is
that it's a bad idea.  Although there are a lot of people who like the
convenience of webmail, it simply doesn't have the functionality of a
full-featured "fat" IMAP client.  If you have a mandate not to use POP
or IMAP and only use webmail (or webmail for outside use and exchange
inside) from management, then you can basically enforce that as a campus
policy.  Every institution is different, so I understand that you may
have reasons for only using webmail.  I just think there are plenty of
reasons to still use IMAP (over TLS, of course).  (I am assuming that
you're also using the various Microsoft protocols to use exchange with
outlook?  That still makes it harder for people to use non-MS software
and/or operating systems with your mail system.  Maybe that's okay in
your environment.)

There's also a distinction between not providing an IMAP service and
actively blocking it in either or both directions across the various
security boundaries at your institution.  It's one thing to say "web
mail/exchange is good enough for our business, research, and educational
needs--we are not going to support whatever other protocol people want
to use, but we are not going to prevent them;" it's totally another to
say that you CANNOT use any other protocol, even from an outside
provider--you'll get web mail or exchange and like it!  I am also
wondering if you will have to deal with issues from visiting faculty who
need to use their home institutions' email systems.  Just a thought.

michael

Current thread:

Blocking POP3 and IMAP Hammon, Gary (Oct 11)
- <Possible follow-ups>
- Re: Blocking POP3 and IMAP Ken Connelly (Oct 11)
- Re: Blocking POP3 and IMAP Pace, Guy (Oct 11)
- Re: Blocking POP3 and IMAP Alex Everett (Oct 11)
- Re: Blocking POP3 and IMAP Michael Sinatra (Oct 11)
- Re: Blocking POP3 and IMAP Michael Sinatra (Oct 11)
- Re: Blocking POP3 and IMAP Valdis Kletnieks (Oct 11)
- Re: Blocking POP3 and IMAP Geoff Nathan (Oct 11)
- Re: Blocking POP3 and IMAP Harry E Flowers (flowers) (Oct 11)
- Re: Blocking POP3 and IMAP Shumon Huque (Oct 11)
- Re: Blocking POP3 and IMAP Paul Russell (Oct 11)
- Re: Blocking POP3 and IMAP Mike Iglesias (Oct 11)
- Re: Blocking POP3 and IMAP Geoff Nathan (Oct 11)
- Re: Blocking POP3 and IMAP Michael Sinatra (Oct 11)
- Re: Blocking POP3 and IMAP ssgsa (Oct 17)