Firewall Wizards mailing list archives
RE: POP vs IMAP vs MAPI - security through firewalls?
From: "Chris Crozier" <chris () cirrus co za>
Date: Mon, 26 Feb 2001 08:02:11 +0200
Someone has got things muddled. MAPI is an API that provides to client software (such as Outlook) access to mail services on the client PC. One of the services the client software would typically use would be a POP3 or an IMAP4 service provider. MAPI is not a mailbox access protocol. It is therefore meaningless to ask whether MAPI is better or worse than POP3/IMAP4: it is only a mechanism whereby the GUI software talks to a module that provides IMAP4 or POP3 access (if you are talking to an SMTP server), so you are still using one or the other of those. However, there can be other service providers also plugged into MAPI, such as X.400 or the native Microsoft Exchange communications protocol stack. I suspect someone thinks that the MS Exchange protocol is more secure than POP3/IMAP4 - but there we get into the open vs. closed source debate and the "security by obfuscation" arguments. I would guess it provides slightly more of a challenge for the casual, amateur cracker than POP3/IMAP4, though in their usual implementations. Both POP3 and IMAP4 have stronger authentication mechanisms (APOP for POP3, CRAM-MD5 for IMAP4), but I have never seen them used - nearly everyone uses clear text passwords, which are blatantly lousy security. Whichever way you slice it, I believe that no-one should use email for sensitive information without encrypting/signing at the client level since none of the mail access protocols have any inherent security worth considering, especially in the military context. Chris Crozier Cirrus Techvue (Pty) Ltd -----Original Message----- /snip/ Is anyone aware of any verifiable security testing that's been done on MAPI? Is it in fact "more secure" than POP3 and IMAP4? You needn't tell me that the latter two have security vulnerabilities - I've heard this - but details would help [I haven't collected those], and if there is a comparison to MAPI that would be so much the better. Is MAPI that much better? [It had better be, to use up 7+ ports! ;-(] _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- POP vs IMAP vs MAPI - security through firewalls? Joseph S D Yao (Feb 25)
- RE: POP vs IMAP vs MAPI - security through firewalls? Chris Crozier (Feb 26)
- Re: POP vs IMAP vs MAPI - security through firewalls? Joseph S D Yao (Feb 26)
- Re: POP vs IMAP vs MAPI - security through firewalls? Michael Nelson (Feb 26)
- Re: POP vs IMAP vs MAPI - security through firewalls? Patrick Darden (Feb 26)
- Re: POP vs IMAP vs MAPI - security through firewalls? Rick Murphy (Feb 26)
- <Possible follow-ups>
- RE: POP vs IMAP vs MAPI - security through firewalls? Ben Nagy (Feb 26)
- Re: POP vs IMAP vs MAPI - security through firewalls? Joseph S D Yao (Feb 26)
- RE: POP vs IMAP vs MAPI - security through firewalls? Jan van Rensburg (Feb 26)
- RE: POP vs IMAP vs MAPI - security through firewalls? Chris Crozier (Feb 26)