Re: Turning off IMAP

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

+1

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Emily Harris
Sent: Thursday, March 21, 2019 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Turning off IMAP


**** EXTERNAL EMAIL ****
We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less 
secure apps, but are still waffling on the exceptions, which we believe will surface.

----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221


On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to 
use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients
(see 
https://support.google.com/a/answer/6260879?hl=en<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.google.com_a_answer_6260879-3Fhl-3Den&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=EmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14&s=miWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY&e=>
 for Less secure apps management)

Gaël Frouin
Information Security Officer
Berklee

On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
YES.

We use SSO - SAML and protected via MFA.  Leaving IMAP and POP3 open allows a criminal with a credential to get into 
someone's email and use the Google SMTP server to send spam.  This has happened (to our knowledge) twice.  The users 
never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password 
reuse issue; it was likely a random malware / key logging event on a public machine or during travel.  Since we are on 
SSO, Google 2FA is bypassed.  We did figure out a (convoluted) way to make that part of the equation, but from a user 
perspective I think it is harder to explain rather than just turning it off.



----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221


On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
> I am wondering if anyone on this list has turned off IMAP and POP3 for
> their Google domains.

Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?