Re: Blocking POP3 and IMAP

["Harry E Flowers (flowers)" <flowers () MEMPHIS EDU>]

First, I think everyone would agree that requiring the secure versions of
these protocols if they are used is prudent.

We allow secure IMAP to our Exchange servers to let folks who don't want to
use Outlook Web Access or Outlook (we enable "RPC over HTTP" for off-campus
access) or Entourage or some PDA supporting ActiveSync to get access to
their e-mail.  Any of the products mentioned support calendaring and
contacts in addition to e-mail, which pure IMAP users have to do without.
But, there are still enough folks who really want yet another way to access
just their e-mail that we provide that.

The reason we don't allow secure POP access really has just a little to do
with security.  It's an issue of how many dozens of calls we got each
semester from people who had cleaned out their Inbox by accepting the
default POP behavior of the client software and were trying to access their
e-mail from another system, not realizing they'd downloaded it all to
another system and deleted it from the server.  If they set the client to
leave mail on the server, that makes it essentially a dumbed-down version of
IMAP that can only see the Inbox folder.  So, what's the advantage of having
yet another protocol port open that might get attacked?
--
Harry Flowers
Manager, Systems Software
Information Technology Division
The University of Memphis

Attachment: smime.p7s
Description: