[MlMt] Follow Up to Email Concerns

Bill Cole mmlist-20120120 at billmail.scconsult.com
Thu Jun 24 23:21:44 EDT 2021

On 2021-06-24 at 20:35:55 UTC-0400 (Thu, 24 Jun 2021 17:35:55 -0700)
Harvey Leff <mailmate at lists.freron.com>
is rumored to have said:

> I had written earlier that my email provider (the university from 
> which I retired) stopped using IMAP, which would rule out use of 
> MailMate. They also stopped having a "Forward all mail" option so I 
> cannot move my mail to an IMAP-enabled site. I've complained, and the 
> response is below. I switched (with great difficulty) to gmail, which 
> of course uses IMAP and allows me to continue my love affair with 
> MailMate.
> It seems that a prime alleged reason for their change is that IMAP 
> does not support 2-Factor authentication. Do any of you experts have 
> knowledge whether that claim is true and really limits security?

IMAP has no direct support for any form of 2FA because the way IMAP is 
used typically involves multiple short-term authenticated sessions with 
no persistent shared state across them. If you did 2FA directly in IMAP 
with something like a code sent by SMS or generated by a TOTP device or 
app (e.g. Google Authenticator or Duo,) you'd be re-authenticating every 
few minutes, because IMAP does not have any equivalent to HTTP cookies.

Some IMAP servers and clients (including MailMate) support an 
authentication protocol called OAuth2, which delegates the 
authentication to an external web-based protocol which generates 
renewable access tokens that a client like MailMate can use for 
authentication. OAuth2 token providers typically require 2FA. MailMate 
uses OAuth2 to access GMail accounts via IMAP.

> They are now implementing 2FA using a seemingly complicated system 
> called Duo. Anybody know about that type of 2FA?

Duo is a brand name for a proprietary 2FA system sold by Cisco Systems. 
It does not directly support OAuth2 and as a proprietary system there is 
no open standard for integrating it into IMAP (or POP or SMTP.) It does 
work with Office365, and Office365 supposedly can be an OAuth2 provider. 
I can't confirm that.

> The university's reply is below if you are interested and willing to 
> read the claims. What I **DO** know is that the university replaced 
> its standard IMAP/SMTP server with Microsoft's proprietary ActiveSync.

Cisco and Microsoft share an interest in selling proprietary software 
that shuts out 3rd-party tools.

> Beware, this might be an indicator of the futureā€¦ Yikes!

I've heard that about Microsoft and email software before. I don't think 
there's really anything to worry about in a universal sense, just a 
substantial number of unwisely run organizations drinking vendor 

I can neither confirm or refute your university's assertions about what 
Microsoft's Office365 IMAP service can support. I can say what MM sees 
when it connects:

> 02:44:43 Trying to connect to outlook.office365.com on port 993 
> (CFNetwork) without STARTTLS (required)
> 02:44:43 Resolved hostname (outlook.office365.com).
> 02:44:43 Prepare secure connection...
> 02:44:43 Successful connection.
> 02:44:43 Initiating secure connection...
> 02:44:43  Returned (4)...
> 02:44:43 Protocol version: kTLSProtocol12
> 02:44:43 S: * OK The Microsoft Exchange IMAP4 service is ready. 
> 02:44:43 C: A0 CAPABILITY
> 02:44:43 S: A0 OK CAPABILITY completed.

The "AUTH=XOAUTH2" bit there in the server's response to the IMAP 
CAPABILITY command indicates support for the standard mechanism by which 
IMAP can support OAuth2, potentially backed by 2FA of some flavor. 
Whether that works, I can't say. Whether it can be made to work with Duo 
as the specific 2FA solution, I cannot say. It is interesting that 
MailMate does not use OAuth2 with Microsoft or Yahoo accounts, even 
though both advertise support in their CAPABILITY replies.

Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

More information about the mailmate mailing list