Re: Turning off IMAP

[John Jennings <000000525e064cf3-dmarc-request () LISTSERV EDUCAUSE EDU>]

We blocked IMAP/POP/SMTP at the edge after monitoring usage for a couple of weeks and notifying users. As a result, we 
have seen hits against our O365 domain drop by over 10K per month.

We still have some internal app service accounts communicating using these protocols and are working with the vendors 
to modify them. In the interim we have ensured they have very complex, lengthy, and rotating passwords.


John Jennings, CISSP
Vice President/Acting CIO
10455 Pomerado Road, M-13
San Diego, CA 92131
Direct: (720)480-5913
Email: jjennings () alliant edu<mailto:jjennings () alliant edu>

[cid:5f299f2b-3483-4b48-bd7a-2a71e249c505]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jones, Mark B
Sent: Thursday, March 21, 2019 2:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Turning off IMAP

+1

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Emily Harris
Sent: Thursday, March 21, 2019 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Turning off IMAP


**** EXTERNAL EMAIL ****
We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less 
secure apps, but are still waffling on the exceptions, which we believe will surface.

----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221


On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to 
use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients
(see 
https://support.google.com/a/answer/6260879?hl=en<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.google.com_a_answer_6260879-3Fhl-3Den&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=EmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14&s=miWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY&e=>
 for Less secure apps management)

Gaël Frouin
Information Security Officer
Berklee

On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
YES.

We use SSO - SAML and protected via MFA.  Leaving IMAP and POP3 open allows a criminal with a credential to get into 
someone's email and use the Google SMTP server to send spam.  This has happened (to our knowledge) twice.  The users 
never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password 
reuse issue; it was likely a random malware / key logging event on a public machine or during travel.  Since we are on 
SSO, Google 2FA is bypassed.  We did figure out a (convoluted) way to make that part of the equation, but from a user 
perspective I think it is harder to explain rather than just turning it off.



----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221


On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
> I am wondering if anyone on this list has turned off IMAP and POP3 for
> their Google domains.

Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?
NOTICE - This email was sent from outside of the University - do NOT open any attachments or click on links if you are 
unsure of the sender’s identity.

NOTICE - This message (including any attachments) may contain confidential, proprietary, privileged and/or private 
information. The information is intended to be for the use of the individual or entity designated above. If you are not 
the intended recipient of this message, please notify the sender immediately, and delete the message and any 
attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an 
individual or entity other than the intended recipient is prohibited.