[MlMt] 2nd IT&IP Service Notice: Campus Email Protocols IMAP/SMTP/POP Disabled - 2/1
mmlist-20120120 at billmail.scconsult.com
Fri Feb 5 13:30:50 EST 2021
On 4 Feb 2021, at 16:12, Antonio Leding wrote:
> This may be the wrong forum for my question but I’m feeling
> adventurous…so here goes…
> Is there any technical reason, such as infosec, to remove IMAP\SMTP
> from one’s network?
If you're already committed to an Exchange/Office365 environment, maybe.
> I am by no means an IMAP\SMTP guru but I have used them at various
> levels for the better part of 15+ years and my experience has been
> that when used properly, both protocols are perfectly secure.
Nothing is ever perfectly secure. One of the ideas often used in
security is the "attack surface," which is the whole collection of
exposed services and devices which might be vulnerable and could be
attacked. "Reducing the attack surface" is a mostly universal security
goal. The Microsoft mail environment MUST include Exchange ActiveSync
(EAS) to support mobile clients and Exchange Web Services (EWS) to
support everything else that can use Exchange other than Windows
Outlook. Those are a mandatory part of the attack surface. EAS and EWS
are much more modern and narrowly-defined protocols than the open
standards, and there are no beloved antique clients that can only do
some quirky old version of EWS/EAS with reduced security, as there are
for the open standard protocols. It is not mandatory to support IMAP and
SMTP, as long as you are willing to disappoint users who are fond of
their non-MS mail clients. IMAP and SMTP are *potentially* less secure
than EAS/EWS simply because they are open standards with long histories
and have been evolved in a model that worships backward compatibility.
They are reducible parts of the attack surface. Eliminating them removes
not only a piece of the server-side attack surface, it eliminates an
unknowable universe of client-side issues originating from the entire
menagerie of supporting mail clients.
There is also the uglier issue of Microsoft having a history of insecure
and/or simply dysfunctional SMTP and IMAP implementations. They are
simply lousy at design and implementation of open-standard mail
software. Running a server with optional protocols that the developer
doesn't really want to exist and hasn't implemented well is a security
risk. The MS implementations of open standards is a particularly soft
part of the attack surface.
The other side of this is that homogeneity (a.k.a. monoculture) is
itself a risk concentrator. It isn't possible to quantitatively balance
the risk of making the whole environment vulnerable to Microsoft's
mistakes vs. the difficulty of supporting and monitoring the safety of a
larger attack surface.
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
More information about the mailmate