Educause Security Discussion mailing list archives
Re: Blocking POP3 and IMAP
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Thu, 11 Oct 2007 11:49:36 -0700
Hammon, Gary wrote:
I recently joined the Security listserv, and searched the archives looking for any trend regarding blocking inbound POP3 and IMAP. We think we have finally moved beyond any 'business need' to allow these protocols for email. We have an Exchange environment that has web access etc., but there are a small number of folks who simply prefer not to change. I am hoping that I can say that it would be a best practice to eliminate the POP3 and IMAP protocols. I am hoping that other institutions have already started to eliminate the protocols, or know that it is a good idea/best practice to eliminate these protocols (ignoring the political firestorm of course!). Thank you for any feedback on this,
Welcome, Gary! I don't really want to burst your bubble, but my personal feeling is that it's a bad idea. Although there are a lot of people who like the convenience of webmail, it simply doesn't have the functionality of a full-featured "fat" IMAP client. If you have a mandate not to use POP or IMAP and only use webmail (or webmail for outside use and exchange inside) from management, then you can basically enforce that as a campus policy. Every institution is different, so I understand that you may have reasons for only using webmail. I just think there are plenty of reasons to still use IMAP (over TLS, of course). (I am assuming that you're also using the various Microsoft protocols to use exchange with outlook? That still makes it harder for people to use non-MS software and/or operating systems with your mail system. Maybe that's okay in your environment.) There's also a distinction between not providing an IMAP service and actively blocking it in either or both directions across the various security boundaries at your institution. It's one thing to say "web mail/exchange is good enough for our business, research, and educational needs--we are not going to support whatever other protocol people want to use, but we are not going to prevent them;" it's totally another to say that you CANNOT use any other protocol, even from an outside provider--you'll get web mail or exchange and like it! I am also wondering if you will have to deal with issues from visiting faculty who need to use their home institutions' email systems. Just a thought. michael
Current thread:
- Blocking POP3 and IMAP Hammon, Gary (Oct 11)
- <Possible follow-ups>
- Re: Blocking POP3 and IMAP Ken Connelly (Oct 11)
- Re: Blocking POP3 and IMAP Pace, Guy (Oct 11)
- Re: Blocking POP3 and IMAP Alex Everett (Oct 11)
- Re: Blocking POP3 and IMAP Michael Sinatra (Oct 11)
- Re: Blocking POP3 and IMAP Michael Sinatra (Oct 11)
- Re: Blocking POP3 and IMAP Valdis Kletnieks (Oct 11)
- Re: Blocking POP3 and IMAP Geoff Nathan (Oct 11)
- Re: Blocking POP3 and IMAP Harry E Flowers (flowers) (Oct 11)
- Re: Blocking POP3 and IMAP Shumon Huque (Oct 11)
- Re: Blocking POP3 and IMAP Paul Russell (Oct 11)
- Re: Blocking POP3 and IMAP Mike Iglesias (Oct 11)
- Re: Blocking POP3 and IMAP Geoff Nathan (Oct 11)
- Re: Blocking POP3 and IMAP Michael Sinatra (Oct 11)
- Re: Blocking POP3 and IMAP ssgsa (Oct 17)