Re: Turning off IMAP

["Telfer, Will" <Will_Telfer () BAYLOR EDU>]

With the caveat that we are not a Google campus as we use MS/Office 365, we disabled IMAP access to email for all but a 
handful of faculty/staff that had been using it for years…with the understanding that if their accounts were ever 
compromised via phishing, etc. that there would be no discussion & it would be disabled permanently after that (this 
was communicated to all users who remained on IMAP). Our reasoning was that IMAP allowed accounts that were compromised 
to continue sending phishing/junk without enforcing our 2-factor authentication via Duo. Once we disabled it, our 
compromised accounts went from hundreds per week (at the peak times) to zero (to be fair the 2-factor enforcement on 
Office 365 was the bigger factor in this quick decrease).

Thank You,
Will Telfer, M.S.
Information Security Analyst
Information Technology Services
[sig]
Twitter: @BearAware
Facebook: www.facebook.com/BearAware<http://www.facebook.com/BearAware>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jones, Mark B
Sent: Thursday, March 21, 2019 3:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Turning off IMAP

+1

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Emily Harris
Sent: Thursday, March 21, 2019 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Turning off IMAP


**** EXTERNAL EMAIL ****
We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less 
secure apps, but are still waffling on the exceptions, which we believe will surface.

----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221


On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to 
use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients
(see 
https://support.google.com/a/answer/6260879?hl=en<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e%3D&data=01%7C01%7CWill_Telfer%40BAYLOR.EDU%7C3831bf39440b4b38e6ff08d6ae3a2413%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C0&sdata=pxJgtyBXIygY39VY1vlfaU1hBSMPR6PTDm%2BChs9IggI%3D&reserved=0>
 for Less secure apps management)

Gaël Frouin
Information Security Officer
Berklee

On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
YES.

We use SSO - SAML and protected via MFA.  Leaving IMAP and POP3 open allows a criminal with a credential to get into 
someone's email and use the Google SMTP server to send spam.  This has happened (to our knowledge) twice.  The users 
never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password 
reuse issue; it was likely a random malware / key logging event on a public machine or during travel.  Since we are on 
SSO, Google 2FA is bypassed.  We did figure out a (convoluted) way to make that part of the equation, but from a user 
perspective I think it is harder to explain rather than just turning it off.



----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221


On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
> I am wondering if anyone on this list has turned off IMAP and POP3 for
> their Google domains.

Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?