Educause Security Discussion mailing list archives
Re: Turning off IMAP
From: John Jennings <000000525e064cf3-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Thu, 21 Mar 2019 20:25:48 +0000
We blocked IMAP/POP/SMTP at the edge after monitoring usage for a couple of weeks and notifying users. As a result, we have seen hits against our O365 domain drop by over 10K per month. We still have some internal app service accounts communicating using these protocols and are working with the vendors to modify them. In the interim we have ensured they have very complex, lengthy, and rotating passwords. John Jennings, CISSP Vice President/Acting CIO 10455 Pomerado Road, M-13 San Diego, CA 92131 Direct: (720)480-5913 Email: jjennings () alliant edu<mailto:jjennings () alliant edu> [cid:5f299f2b-3483-4b48-bd7a-2a71e249c505] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jones, Mark B Sent: Thursday, March 21, 2019 2:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://support.google.com/a/answer/6260879?hl=en<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.google.com_a_answer_6260879-3Fhl-3Den&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=EmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14&s=miWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY&e=> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? NOTICE - This email was sent from outside of the University - do NOT open any attachments or click on links if you are unsure of the sender’s identity. NOTICE - This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.
Current thread:
- Turning off IMAP Emily Harris (Mar 21)
- Re: Turning off IMAP Valdis Klētnieks (Mar 21)
- Re: Turning off IMAP Emily Harris (Mar 21)
- Re: Turning off IMAP Gael Frouin (Mar 21)
- Re: Turning off IMAP Emily Harris (Mar 21)
- Re: Turning off IMAP Jones, Mark B (Mar 21)
- Re: Turning off IMAP Telfer, Will (Mar 21)
- Re: Turning off IMAP John Jennings (Mar 21)
- Re: Turning off IMAP Gael Frouin (Mar 21)
- Re: Turning off IMAP Emily Harris (Mar 21)
- Re: Turning off IMAP Emily Harris (Mar 21)
- Re: Turning off IMAP Valdis Klētnieks (Mar 21)