[MlMt] Follow Up to Email Concerns

Antonio Leding tech at leding.net
Fri Jun 25 13:39:02 EDT 2021

Agree with everything Bill said here…especially “…unwisely run 
organizations drinking vendor Kool-Aid…”

The better solution is using OAuth2 which I believe is supported in many 
IMAP servers such as Dovecot.

With that in mind, seems like the big boys are creating a somewhat false 
sense of urgency - what we typically called “FUD” in my SE days - so 
as to peddle more of that Kool-Aid referenced above…

- - -

On 24 Jun 2021, at 20:21, Bill Cole wrote:

> On 2021-06-24 at 20:35:55 UTC-0400 (Thu, 24 Jun 2021 17:35:55 -0700)
> Harvey Leff <mailmate at lists.freron.com>
> is rumored to have said:
>> I had written earlier that my email provider (the university from 
>> which I retired) stopped using IMAP, which would rule out use of 
>> MailMate. They also stopped having a "Forward all mail" option so I 
>> cannot move my mail to an IMAP-enabled site. I've complained, and the 
>> response is below. I switched (with great difficulty) to gmail, which 
>> of course uses IMAP and allows me to continue my love affair with 
>> MailMate.
>> It seems that a prime alleged reason for their change is that IMAP 
>> does not support 2-Factor authentication. Do any of you experts have 
>> knowledge whether that claim is true and really limits security?
> IMAP has no direct support for any form of 2FA because the way IMAP is 
> used typically involves multiple short-term authenticated sessions 
> with no persistent shared state across them. If you did 2FA directly 
> in IMAP with something like a code sent by SMS or generated by a TOTP 
> device or app (e.g. Google Authenticator or Duo,) you'd be 
> re-authenticating every few minutes, because IMAP does not have any 
> equivalent to HTTP cookies.
> Some IMAP servers and clients (including MailMate) support an 
> authentication protocol called OAuth2, which delegates the 
> authentication to an external web-based protocol which generates 
> renewable access tokens that a client like MailMate can use for 
> authentication. OAuth2 token providers typically require 2FA. MailMate 
> uses OAuth2 to access GMail accounts via IMAP.
>> They are now implementing 2FA using a seemingly complicated system 
>> called Duo. Anybody know about that type of 2FA?
> Duo is a brand name for a proprietary 2FA system sold by Cisco 
> Systems. It does not directly support OAuth2 and as a proprietary 
> system there is no open standard for integrating it into IMAP (or POP 
> or SMTP.) It does work with Office365, and Office365 supposedly can be 
> an OAuth2 provider. I can't confirm that.
>> The university's reply is below if you are interested and willing to 
>> read the claims. What I **DO** know is that the university replaced 
>> its standard IMAP/SMTP server with Microsoft's proprietary 
>> ActiveSync.
> Cisco and Microsoft share an interest in selling proprietary software 
> that shuts out 3rd-party tools.
>> Beware, this might be an indicator of the future… Yikes!
> I've heard that about Microsoft and email software before. I don't 
> think there's really anything to worry about in a universal sense, 
> just a substantial number of unwisely run organizations drinking 
> vendor Kool-Aid.
> I can neither confirm or refute your university's assertions about 
> what Microsoft's Office365 IMAP service can support. I can say what MM 
> sees when it connects:
>> 02:44:43 Trying to connect to outlook.office365.com on port 993 
>> (CFNetwork) without STARTTLS (required)
>> 02:44:43 Resolved hostname (outlook.office365.com).
>> 02:44:43 Prepare secure connection...
>> 02:44:43 Successful connection.
>> 02:44:43 Initiating secure connection...
>> 02:44:43  Returned (4)...
>> 02:44:43 Protocol version: kTLSProtocol12
>> 02:44:43 S: * OK The Microsoft Exchange IMAP4 service is ready. 
>> 02:44:43 C: A0 CAPABILITY
>> 02:44:43 S: A0 OK CAPABILITY completed.
> The "AUTH=XOAUTH2" bit there in the server's response to the IMAP 
> CAPABILITY command indicates support for the standard mechanism by 
> which IMAP can support OAuth2, potentially backed by 2FA of some 
> flavor. Whether that works, I can't say. Whether it can be made to 
> work with Duo as the specific 2FA solution, I cannot say. It is 
> interesting that MailMate does not use OAuth2 with Microsoft or Yahoo 
> accounts, even though both advertise support in their CAPABILITY 
> replies.
> -- 
> Bill Cole
> bill at scconsult.com or billcole at apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
> _______________________________________________
> mailmate mailing list
> mailmate at lists.freron.com
> https://lists.freron.com/listinfo/mailmate
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20210625/3f3927b1/attachment.htm>

More information about the mailmate mailing list