[MlMt] Follow Up to Email Concerns
Bill Cole
mmlist-20120120 at billmail.scconsult.com
Thu Jun 24 23:21:44 EDT 2021
On 2021-06-24 at 20:35:55 UTC-0400 (Thu, 24 Jun 2021 17:35:55 -0700)
Harvey Leff <mailmate at lists.freron.com>
is rumored to have said:
> I had written earlier that my email provider (the university from
> which I retired) stopped using IMAP, which would rule out use of
> MailMate. They also stopped having a "Forward all mail" option so I
> cannot move my mail to an IMAP-enabled site. I've complained, and the
> response is below. I switched (with great difficulty) to gmail, which
> of course uses IMAP and allows me to continue my love affair with
> MailMate.
>
> It seems that a prime alleged reason for their change is that IMAP
> does not support 2-Factor authentication. Do any of you experts have
> knowledge whether that claim is true and really limits security?
IMAP has no direct support for any form of 2FA because the way IMAP is
used typically involves multiple short-term authenticated sessions with
no persistent shared state across them. If you did 2FA directly in IMAP
with something like a code sent by SMS or generated by a TOTP device or
app (e.g. Google Authenticator or Duo,) you'd be re-authenticating every
few minutes, because IMAP does not have any equivalent to HTTP cookies.
Some IMAP servers and clients (including MailMate) support an
authentication protocol called OAuth2, which delegates the
authentication to an external web-based protocol which generates
renewable access tokens that a client like MailMate can use for
authentication. OAuth2 token providers typically require 2FA. MailMate
uses OAuth2 to access GMail accounts via IMAP.
> They are now implementing 2FA using a seemingly complicated system
> called Duo. Anybody know about that type of 2FA?
Duo is a brand name for a proprietary 2FA system sold by Cisco Systems.
It does not directly support OAuth2 and as a proprietary system there is
no open standard for integrating it into IMAP (or POP or SMTP.) It does
work with Office365, and Office365 supposedly can be an OAuth2 provider.
I can't confirm that.
> The university's reply is below if you are interested and willing to
> read the claims. What I **DO** know is that the university replaced
> its standard IMAP/SMTP server with Microsoft's proprietary ActiveSync.
Cisco and Microsoft share an interest in selling proprietary software
that shuts out 3rd-party tools.
> Beware, this might be an indicator of the futureā¦ Yikes!
I've heard that about Microsoft and email software before. I don't think
there's really anything to worry about in a universal sense, just a
substantial number of unwisely run organizations drinking vendor
Kool-Aid.
I can neither confirm or refute your university's assertions about what
Microsoft's Office365 IMAP service can support. I can say what MM sees
when it connects:
> 02:44:43 Trying to connect to outlook.office365.com on port 993
> (CFNetwork) without STARTTLS (required)
> 02:44:43 Resolved hostname (outlook.office365.com).
> 02:44:43 Prepare secure connection...
> 02:44:43 Successful connection.
> 02:44:43 Initiating secure connection...
> 02:44:43 Returned (4)...
> 02:44:43 Protocol version: kTLSProtocol12
> 02:44:43 S: * OK The Microsoft Exchange IMAP4 service is ready.
> [QwBIADIAUABSADEANQBDAEEAMAAwADEAMwAuAG4AYQBtAHAAcgBkADEANQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
> 02:44:43 C: A0 CAPABILITY
> 02:44:43 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2
> SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
> 02:44:43 S: A0 OK CAPABILITY completed.
The "AUTH=XOAUTH2" bit there in the server's response to the IMAP
CAPABILITY command indicates support for the standard mechanism by which
IMAP can support OAuth2, potentially backed by 2FA of some flavor.
Whether that works, I can't say. Whether it can be made to work with Duo
as the specific 2FA solution, I cannot say. It is interesting that
MailMate does not use OAuth2 with Microsoft or Yahoo accounts, even
though both advertise support in their CAPABILITY replies.
--
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
More information about the mailmate
mailing list