IMAP security issues?

[Carl Thoreson]

I have a user who has gotten an iphone and would like to start getting her
email on the phone. I can set it up for her to retrieve the email from the
Exchange server via IMAP, but at the moment we have IMAP disabled on the
server and blocked on the firewall. My predecessor saw IMAP as a security
risk so he disabled it.

My experience with IMAP has been positive, so I would generally be inclined
to re-enable it and open the port on the firewall to make it work on the
iPhone, but before I do that i want to see what everyone else thinks. Is
there a valid reason to block IMAP or can I turn it on?

Any comments would be appreciated.

Thanks,

Carl

[Andy David {MVP}]

Why not? Do you allow OWA access from the outside?
Be sure to require IMAP over SSL.
Also, the IPhone requires a SMTP server to send, so you'll need to
figure out how you want to handle that. IPhones have also been known
to sometimes, um, accidently, clean out message items, so be prepared
for that :P

[Carl Thoreson]

Yes, we do allow OWA from the outside. I'm glad you metnioned the SMTP
server issue. That's actually a bigger problem as all of our email goes
through a spam service and their servers are the only ones allowed to send
SMTP to our server.

[stephenkaufman]

When you reference owa in the context of imap security, what is the correlation? Does owa access to MS Exchange presuppose imap access. I ask because we have the same situation. We have about 20 iPhone users who want their mail and IT just says "IMAP is not a secure messaging protocol therefor, we will not allow it." If we allow owa access (which I know we do) does that blow their argument. Thanks for expanding on this.

Stephen

EggHeadCafe - .NET Developer Portal of Choice
http://www.eggheadcafe.com

[Mark Arnold [MVP]]

Well IMAP isn't secure but IMAP(S) is. One assumes the phone does
IMAP(S) (TCP993 rather than 143) so IT should be ok with configuring
that. They don't even need a new certificate.

[Dimitri]

IMAP(s) may be secure but the iphone itself isn't. With OWA mail is
not downloaded from the server.
With IMAP the email is stored on the iphone itslef and there is no way
to control that device in terms of password protection, encryption,
etc. So if the device is lost or stolen the data on it can be easily
accessed. Also there is no way to remotely wipe the device either. Of
course you can change that user's password so no further mail
downloads can take place but still the mail that is already on the
device stays there. This is why BlackBerry is so successful in the
corporate world where security is taken seriously. We also had a
request to enable this for some VIP users who got an iphone but it was
rejected straight away due to security reasons.

[Mark Arnold [MVP]]

So true. BlackBerry and Windows Mobile are the ways to go for
corporate data on the device.

[Andre-John Mas]

On Dec 2, 7:48 am, "Mark Arnold [MVP]" <m...@mvps.org> wrote:
> On Sat, 1 Dec 2007 03:39:38 -0800 (PST), Dimitri
>
>
>
> <dimitare.nedeltc...@gmail.com> wrote:
> >On Nov 30, 10:41 pm, "Mark Arnold [MVP]" <m...@mvps.org> wrote:
> >> On Fri, 30 Nov 2007 11:57:29 -0800, Stephen Kaufman wrote:

> >> >When you reference owa in the context ofimapsecurity, what is the correlation? Does owa access to MS Exchange presupposeimapaccess. I ask because we have the same situation. We have about 20 iPhone users who want their mail and IT just says "IMAPis not a secure messaging protocol therefor, we will not allow it." If we allow owa access (which I know we do) does that blow their argument. Thanks for expanding on this.

>
> >> >Stephen
>
> >> >EggHeadCafe - .NET Developer Portal of Choice
> >> >http://www.eggheadcafe.com
>

> >> WellIMAPisn't secure butIMAP(S) is. One assumes the phone does

> >>IMAP(S) (TCP993 rather than 143) so IT should be ok with configuring
> >> that. They don't even need a new certificate.
>
> >IMAP(s) may be secure but the iphone itself isn't. With OWA mail is
> >not downloaded from the server.

> >WithIMAPthe email is stored on the iphone itslef and there is no way

> >to control that device in terms of password protection, encryption,
> >etc. So if the device is lost or stolen the data on it can be easily
> >accessed. Also there is no way to remotely wipe the device either. Of
> >course you can change that user's password so no further mail
> >downloads can take place but still the mail that is already on the
> >device stays there. This is why BlackBerry is so successful in the
> >corporate world where security is taken seriously. We also had a
> >request to enable this for some VIP users who got an iphone but it was
> >rejected straight away due to security reasons.

This may be true of BlackBerry, but is this true of Windows Mobile?

> So true. BlackBerry and Windows Mobile are the ways to go for
> corporate data on the device.

What makes these devices more secure than the iPhone? For me the
iPhone is the brink of the iceberg of what is yet to come and being
vague about what issues are security concerns is not going to cut it.

Andre

[Andre-John Mas]

On Nov 29, 8:05 pm, Carl Thoreson

<CarlThore...@discussions.microsoft.com> wrote:
> Yes, we do allow OWA from the outside. I'm glad you metnioned the SMTP
> server issue. That's actually a bigger problem as all of our email goes
> through a spam service and their servers are the only ones allowed to send
> SMTP to our server.

SMTP supports authentication for sending e-mails and as far as I can
tell there is SMTP/SSL, though I am not aware to what extent Exchange
supports this. I am in the process of investigating this myself.

For me all protocols accessed from beyond the company VPN, handling
private corporate data, must have support for SSL and user
authentication.

Andre