Educause Security Discussion mailing list archives

Re: Blocking POP3 and IMAP

From: "Pace, Guy" <gpace () CIS CTC EDU>
Date: Thu, 11 Oct 2007 11:47:56 -0700

If you have anything on your network that sniffs in/outbound traffic,
you can show your POP3 and IMAP die-hards the plain text username and
password packets passed back and forth via these protocols (and, you
know how easy it is to sniff traffic). If they still gripe, show them
your institution's Acceptable Use Policy (you do have one, right?) that
addresses the consequences of exposing or sharing passwords (it does
include that, right?).

If the threat of termination for violation of institutional policy
doesn't convince them, and you can't get administrative support for
eliminating the protocols, then you may be forced to wait for one of
them to get their account hacked by an angry student who packs their
in-box with porn. Maybe an embarassing and messy end of a career
splashed across the front page of the local daily newspaper is the only
way to get the message across.

Guy L. Pace, CISSP 
Security Administrator 
Center for Information Services (CIS) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 

gpace () cis ctc edu 

 

________________________________

From: Hammon, Gary [mailto:ghammon () STONEHILL EDU] 
Sent: Thursday, October 11, 2007 11:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Blocking POP3 and IMAP


I recently joined the Security listserv, and searched the archives
looking for any trend regarding blocking inbound POP3 and IMAP.
 
We think we have finally moved beyond any 'business need' to allow these
protocols for email. We have an Exchange environment that has web access
etc., but there are a small number of folks who simply prefer not to
change.
 
I am hoping that I can say that it would be a best practice to eliminate
the POP3 and IMAP protocols.
 
I am hoping that other institutions have already started to eliminate
the protocols, or know that it is a good idea/best practice to eliminate
these protocols (ignoring the political firestorm of course!).
 
Thank you for any feedback on this,
 
Gary
 
Gary Hammon
CIO
Stonehill College
Easton, MA  02357

Current thread:

Blocking POP3 and IMAP Hammon, Gary (Oct 11)
- <Possible follow-ups>
- Re: Blocking POP3 and IMAP Ken Connelly (Oct 11)
- Re: Blocking POP3 and IMAP Pace, Guy (Oct 11)
- Re: Blocking POP3 and IMAP Alex Everett (Oct 11)
- Re: Blocking POP3 and IMAP Michael Sinatra (Oct 11)
- Re: Blocking POP3 and IMAP Michael Sinatra (Oct 11)
- Re: Blocking POP3 and IMAP Valdis Kletnieks (Oct 11)
- Re: Blocking POP3 and IMAP Geoff Nathan (Oct 11)
- Re: Blocking POP3 and IMAP Harry E Flowers (flowers) (Oct 11)
- Re: Blocking POP3 and IMAP Shumon Huque (Oct 11)
- Re: Blocking POP3 and IMAP Paul Russell (Oct 11)
- Re: Blocking POP3 and IMAP Mike Iglesias (Oct 11)
- Re: Blocking POP3 and IMAP Geoff Nathan (Oct 11)

(Thread continues...)