On Tue, Jan 11, 2011 at 08:56:01AM +1100, Bron Gondwana wrote: > > Running IMAP over 143 should be safe from over the wire snooping, if the > > server is properly configured. > > Yeah, that's what's known as "wishful thinking" I suspect. Has anyone > actually done any testing on this? And it's certainly not safe from a man-in-the-middle attack which strips the LOGINDISABLED from the CAPABILITY response, while SSL with a client that checks certificates is. True - a client that refuses to use non-TLS sessions is similarly safe, but in that case why not just use SSL and avoid the extra round-trip? Bron. ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
