[MlMt] Follow Up to Email Concerns
tech at leding.net
Fri Jun 25 13:39:02 EDT 2021
Agree with everything Bill said here…especially “…unwisely run
organizations drinking vendor Kool-Aid…”
The better solution is using OAuth2 which I believe is supported in many
IMAP servers such as Dovecot.
With that in mind, seems like the big boys are creating a somewhat false
sense of urgency - what we typically called “FUD” in my SE days - so
as to peddle more of that Kool-Aid referenced above…
- - -
On 24 Jun 2021, at 20:21, Bill Cole wrote:
> On 2021-06-24 at 20:35:55 UTC-0400 (Thu, 24 Jun 2021 17:35:55 -0700)
> Harvey Leff <mailmate at lists.freron.com>
> is rumored to have said:
>> I had written earlier that my email provider (the university from
>> which I retired) stopped using IMAP, which would rule out use of
>> MailMate. They also stopped having a "Forward all mail" option so I
>> cannot move my mail to an IMAP-enabled site. I've complained, and the
>> response is below. I switched (with great difficulty) to gmail, which
>> of course uses IMAP and allows me to continue my love affair with
>> It seems that a prime alleged reason for their change is that IMAP
>> does not support 2-Factor authentication. Do any of you experts have
>> knowledge whether that claim is true and really limits security?
> IMAP has no direct support for any form of 2FA because the way IMAP is
> used typically involves multiple short-term authenticated sessions
> with no persistent shared state across them. If you did 2FA directly
> in IMAP with something like a code sent by SMS or generated by a TOTP
> device or app (e.g. Google Authenticator or Duo,) you'd be
> re-authenticating every few minutes, because IMAP does not have any
> equivalent to HTTP cookies.
> Some IMAP servers and clients (including MailMate) support an
> authentication protocol called OAuth2, which delegates the
> authentication to an external web-based protocol which generates
> renewable access tokens that a client like MailMate can use for
> authentication. OAuth2 token providers typically require 2FA. MailMate
> uses OAuth2 to access GMail accounts via IMAP.
>> They are now implementing 2FA using a seemingly complicated system
>> called Duo. Anybody know about that type of 2FA?
> Duo is a brand name for a proprietary 2FA system sold by Cisco
> Systems. It does not directly support OAuth2 and as a proprietary
> system there is no open standard for integrating it into IMAP (or POP
> or SMTP.) It does work with Office365, and Office365 supposedly can be
> an OAuth2 provider. I can't confirm that.
>> The university's reply is below if you are interested and willing to
>> read the claims. What I **DO** know is that the university replaced
>> its standard IMAP/SMTP server with Microsoft's proprietary
> Cisco and Microsoft share an interest in selling proprietary software
> that shuts out 3rd-party tools.
>> Beware, this might be an indicator of the future… Yikes!
> I've heard that about Microsoft and email software before. I don't
> think there's really anything to worry about in a universal sense,
> just a substantial number of unwisely run organizations drinking
> vendor Kool-Aid.
> I can neither confirm or refute your university's assertions about
> what Microsoft's Office365 IMAP service can support. I can say what MM
> sees when it connects:
>> 02:44:43 Trying to connect to outlook.office365.com on port 993
>> (CFNetwork) without STARTTLS (required)
>> 02:44:43 Resolved hostname (outlook.office365.com).
>> 02:44:43 Prepare secure connection...
>> 02:44:43 Successful connection.
>> 02:44:43 Initiating secure connection...
>> 02:44:43 Returned (4)...
>> 02:44:43 Protocol version: kTLSProtocol12
>> 02:44:43 S: * OK The Microsoft Exchange IMAP4 service is ready.
>> 02:44:43 C: A0 CAPABILITY
>> 02:44:43 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2
>> SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
>> 02:44:43 S: A0 OK CAPABILITY completed.
> The "AUTH=XOAUTH2" bit there in the server's response to the IMAP
> CAPABILITY command indicates support for the standard mechanism by
> which IMAP can support OAuth2, potentially backed by 2FA of some
> flavor. Whether that works, I can't say. Whether it can be made to
> work with Duo as the specific 2FA solution, I cannot say. It is
> interesting that MailMate does not use OAuth2 with Microsoft or Yahoo
> accounts, even though both advertise support in their CAPABILITY
> Bill Cole
> bill at scconsult.com or billcole at apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
> mailmate mailing list
> mailmate at lists.freron.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the mailmate