Re: Turning off IMAP

[Emily Harris <emharris () VASSAR EDU>]

YES.

We use SSO - SAML and protected via MFA.  Leaving IMAP and POP3 open allows
a criminal with a credential to get into someone's email and use the Google
SMTP server to send spam.  This has happened (to our knowledge) twice.  The
users never replied to phishing, had changed their password within the last
12 months (so it was not an old hack / password reuse issue; it was likely
a random malware / key logging event on a public machine or during travel.
Since we are on SSO, Google 2FA is bypassed.  We did figure out a
(convoluted) way to make that part of the equation, but from a user
perspective I think it is harder to explain rather than just turning it off.



----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221


On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu>
wrote:

> On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
> > I am wondering if anyone on this list has turned off IMAP and POP3 for
> > their Google domains.
>
> Out of curiosity, what problem are you trying to solve by doing this?
> Is there a reason to force "Thou Shalt Use The Web Interface" and
> prohibit the use of mail software that processes the mail locally on
> the user's computer?