Found out this afternoon that the email gurus at the local institution where I have an account don’t understand or don’t care about security: asked why, after a maintenance outage, I was unable to read email and an insider sent me a new server name I could use but told me that imap is going away as it doesn’t support encryption, sends passwords in the clear.
[/Users/paul]:: openssl s_client -connect mail:993 CONNECTED(00000003) [ handshaking omitted ] SSL handshake has read 1272 bytes and written 328 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: B448E7A7B703C73C57BC7FA7E8D4E30F8B67DC76E4868C17C16AC2E48B88C642 Session-ID-ctx: Master-Key: 076960369DEDC2E9A2B8BC70D2FF070277D1E440CB2B5D1B0F5AA3770B48BB115FF61DDDF81E39CA23387186C0510F38 Key-Arg : None Start Time: 1310532030 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Hmm, that seems to work.
openssl s_client -connect some.email.host:993 connect: Operation timed out connect:errno=60
That doesn’t look like they’re listening on that port.
openssl s_client -connect some.email.host:143 CONNECTED(00000003) 49016:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_clnt.c:607:
So no SSL on the server.
Huh. If I was going to hazard a guess here, I would say that it’s not that imap is busted or insecure but that someone’s doing it wrong. When I pointed out that imap wasn’t to blame, it turns out that they did try requiring SSL 4 years ago but when it turned out that a lot of the user base didn’t have client software to support it, they turned it off. That’s actually worse: to know that the security of your communications is no better than the worst email client out there, with no standards or requirements, would be a fireable offense in some workplaces.