SV: SV: Outlook vs Thunderbird

Sebastian Nielsen sebastian at sebbe.eu
Tue Jul 7 20:00:23 EEST 2020 

Sorry about that, its just outlook that does that by default. But manually deleted your adress now in reply.
I don't know what you mean with "top posting"?

What I mean is that if you have another security on the connection (be it physical security - the connection doesn't go over public means, or VPN - connection level encryption) then you don't need another encryption on top of that.

Of course you must judge other risks in the physical enviroment - if a hacker connects his laptop to a guest wifi or reception RJ45 port and ARP spoofs - whats gonna happen? So you must of course segment and separate those networks from your internal LAN (so a hacker is now gonna need a access badge to even get a foot into the internal LAN), and also activate static ARP in your switches so even if a hacker ARP spoofs (from an infected client inside internal LAN), nothing gonna come out of the pipe.


-----Ursprungligt meddelande-----
Från: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> För Alexander Dalloz
Skickat: den 7 juli 2020 18:30
Till: dovecot at dovecot.org
Ämne: Re: SV: Outlook vs Thunderbird

Am 07.07.2020 um 18:11 schrieb Sebastian Nielsen:
> Plaintext access is no problem if the connection is secured via other means - for example internal network or VPN.
> If the IMAP server cannot be accessed from the outside, and the traffic don't travel over wifi or public networks, no danger.

First of all, please keep answers on the mailing list only. Obviously I am subscribe and I don't need to get your reply twice, by list distribution and in addition to my personal address.

And top-posting is another thing you should avoid.

To your answer: I disagree and see that you have a false understanding of security. You want service protocol encryption (here for IMAP or
POP3) from end to end. Nothing which breaks up encryption in between.

That's valid for any size of environment. You may judge the risk is tolerable in case you run you own small setup where you are the only user. But I replied to Mark's note where he wrote about ~100 clients. So he either running an IMAP service for clients - where it is inresponsible to not teach them about security and instead lower the protection to none - or administering a company network for which end to end service encryption is a must too.

Alexander



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200707/132559b5/attachment-0001.p7s>

More information about the dovecot mailing list