[MlMt] 2nd IT&IP Service Notice: Campus Email Protocols IMAP/SMTP/POP Disabled - 2/1

[Bill Cole]

On 4 Feb 2021, at 16:12, Antonio Leding wrote:

> This may be the wrong forum for my question but I’m feeling 
> adventurous…so here goes…
>
> Is there any technical reason, such as infosec, to remove IMAP\SMTP 
> from one’s network?

Generally? No.

If you're already committed to an Exchange/Office365 environment, maybe.

> I am by no means an IMAP\SMTP guru but I have used them at various 
> levels for the better part of 15+ years and my experience has been 
> that when used properly, both protocols are perfectly secure.

Nothing is ever perfectly secure. One of the ideas often used in 
security is the "attack surface," which is the whole collection of 
exposed services and devices which might be vulnerable and could be 
attacked. "Reducing the attack surface" is a mostly universal security 
goal. The Microsoft mail environment MUST include Exchange ActiveSync 
(EAS) to support mobile clients and Exchange Web Services (EWS) to 
support everything else that can use Exchange other than Windows 
Outlook. Those are a mandatory part of the attack surface. EAS and EWS 
are much more modern and narrowly-defined protocols than the open 
standards, and there are no beloved antique clients that can only do 
some quirky old version of EWS/EAS with reduced security, as there are 
for the open standard protocols. It is not mandatory to support IMAP and 
SMTP, as long as you are willing to disappoint users who are fond of 
their non-MS mail clients. IMAP and SMTP are *potentially* less secure 
than EAS/EWS simply because they are open standards with long histories 
and have been evolved in a model that worships backward compatibility. 
They are reducible parts of the attack surface. Eliminating them removes 
not only a piece of the server-side attack surface, it eliminates an 
unknowable universe of client-side issues originating from the entire 
menagerie of supporting mail clients.

There is also the uglier issue of Microsoft having a history of insecure 
and/or simply dysfunctional SMTP and IMAP implementations. They are 
simply lousy at design and implementation of open-standard mail 
software. Running a server with optional protocols that the developer 
doesn't really want to exist and hasn't implemented well is a security 
risk. The MS implementations of open standards is a particularly soft 
part of the attack surface.

The other side of this is that homogeneity (a.k.a. monoculture) is 
itself a risk concentrator. It isn't possible to quantitatively balance 
the risk of making the whole environment vulnerable to Microsoft's 
mistakes vs. the difficulty of supporting and monitoring the safety of a 
larger attack surface.

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire