Re: Turning off IMAP

[Gael Frouin <gfrouin () BERKLEE EDU>]

I believe that the right setting then would be to disable "less secure
apps" for your users. This will force users to use OAuth or SAML in your
case. It will prevent plain text login/password while still allowing the
user of email clients
(see https://support.google.com/a/answer/6260879?hl=en for Less secure apps
management)

Gaël Frouin
*Information Security Officer*
*Berklee*

On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu> wrote:

> YES.
>
> We use SSO - SAML and protected via MFA.  Leaving IMAP and POP3 open
> allows a criminal with a credential to get into someone's email and use the
> Google SMTP server to send spam.  This has happened (to our knowledge)
> twice.  The users never replied to phishing, had changed their password
> within the last 12 months (so it was not an old hack / password reuse
> issue; it was likely a random malware / key logging event on a public
> machine or during travel.  Since we are on SSO, Google 2FA is bypassed.  We
> did figure out a (convoluted) way to make that part of the equation, but
> from a user perspective I think it is harder to explain rather than just
> turning it off.
>
>
>
> ----
> Emily Harris, CISSP
> Information Security Officer, CIS
> Vassar College
> 845-437-7221
>
>
> On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu>
> wrote:
>
> > On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
> > > I am wondering if anyone on this list has turned off IMAP and POP3 for
> > > their Google domains.
> >
> > Out of curiosity, what problem are you trying to solve by doing this?
> > Is there a reason to force "Thou Shalt Use The Web Interface" and
> > prohibit the use of mail software that processes the mail locally on
> > the user's computer?