POP3 and (password) security

his is one of the most common "security misunderstanding" and I see it very often.

Whenever I am setting up e-mail servers and enabling web access, there is always a long and hard discussion on security. Customers are usually at this point worried about protection of their servers and usernames and passwords that will be sent over the internet. The obvious solution is SSL or even better TLS, which ensures that usernames, password and e-mail content are transferred from client computer to e-mail server and vice-versa in secure (encrypted) way.

After this is done, I often get strangest request possible. Enable and open POP3 and/or IMAP access to the server... and with this one simple sentence all security planning and considerations are gone

What I can't really understand is why is almost everyone thinking about security and SSL and encryption when it comes to web access and no one associates same security risks with POP3, IMAP, SMTP protocols and transfer of passwords?

Username and password are often sent in clear text (picture above)
Click image to enlarge

POP3 is not some magical protocol that would encrypt anything by itself. Yes, it is possible to set up POP3 in secure way (POP3S, IMAPS), but requires a bit more work compared to HTTPS and web access.

With web access you don't have to configure the clients, while with POP3 and IMAP you have to set the clients up to use secure protocols to send usernames and password in encrypted way. There is also an option which will protect (encrypt) the content of the e-mail while being downloaded from the server.

Content is also often transfered without protection... (picture above)
Click image to enlarge

None of this is done by default and most ISPs work in this manner! Even in closed (corporate) environments it can be a challenging, configuring couple of hundred if not thousands of clients. Most environments will have hard time doing the switch from insecure to secure protocols (e.g. POP3 to POP3S) because of extra configuration of the clients, possible downtime or even application incompatibilities. This is why it is extremely important to set up services and networks in a secure way in the first place.

There is another situation to consider and it is important one for roaming users. If you move from your network to a network where you are a guest, you might only be allowed access to some basic protocols such as HTTP, HTTPS, SMTP, and POP3, but not POP3S. POP3 by default runs on TCP port 110 while POP3S by default runs on TCP port 995 which might not be open on a gust network preventing roaming users from accessing their e-mails. This is more common problem then one might expect.

Add comment