On Fri, Feb 13, 2009 at 09:13:40AM -0500, Adam Tauno Williams wrote: > On Fri, 2009-02-13 at 13:17 +0000, Duncan Gibb wrote: > > Jason Voorhees wrote: > > JV> a sales person told my friend that IMAP protocol is > > JV> less secure than POP3 protocol. > > Other people have covered the IMAP vs POP3 issues - Ian Batten most > > comprehensively - but one comment I would add is that if you make either > > service available to the open internet, even under SSL encryption, > > password-based authentication is still susceptible to dictionary attack. > > So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list > > of things you rate limit, monitor for bad password attempts, and lock > > remote hosts out of if it they do things that look suspicious. That got me thinking .... I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address). If I were to do the same with IMAP would that cause problems with some clients, ie are there some clients that to many connect/disconnects ? > True; but really none of those good practices is specific to any > protocol. The exact same charge could be leveled against HTTP, FTP, > SSH, etc... and if you use certificate/PKI authentication you run the > risk that someone could steal the private keys (and it isn't hard to > make a setup where that is comically easy). It is really far and away > more about end-to-end security practices than it is the OSI layer 7 > protocol(s) involved. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php Past chairman of UKUUG: http://www.ukuug.org/ #include <std_disclaimer.h> ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
