Questions tagged [imap]
Internet Message Access Protocol, or IMAP, is a mail protocol used in the retrieval of mail from a mailbox. In comparison to POP, IMAP is designed to allow the complete management of a mailbox using multiple different mail clients, this means that unlike POP, mail retrieved over the IMAP protocol will by default also remain on the mail server, unless explicitly deleted by the user.
44 questions
1
vote
1
answer
56
views
How do junk/spam mails get the "current" timestamp applied?
Whenever I open my email client (Thunderbird), I see some junk mails that have the timestamp of the exact moment, when my client downloaded them via IMAP. So emails with the exact same timestamp of ...
- 1,703
1
vote
2
answers
124
views
Is it possible for an attacker to change an email-attachment of a received email client-side and synchronize it via IMAP with Webmailer?
an attacker manipulated the IBAN of an invoice.pdf attached to a received email. The question remains, can said attacker manipulate/change such a pdf client-side and cause an IMAP synchronization with ...
- 11
0
votes
2
answers
195
views
What does the IMAP banner alone show regarding security (STARTTLS, hashing, information disclosure)?
I encountered an open TCP/143 IMAP port which responded with this banner:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=...
- 7,125
0
votes
0
answers
189
views
CNAME redirection and certificate
As an experiment, I attempted to setup a CNAME for mail.mydomain.com pointing to mail.myisp.com, and using mail.mydomain.com instead of mail.myisp.com in setting up email clients connecting to that ...
- 1,275
0
votes
0
answers
536
views
Genuine security of IMAP vs Exchange Active Sync mail access
I agree that - as always - having two protocols available potentially offers a greater attack surface than either of them. I know Active Sync allows to enforce organisational admin capabilities to ...
- 335
0
votes
1
answer
571
views
IMAP credentials in WEB (browser) app - how to use securely
I need to send and check email (via IMAP email servers) from my web app. Storing credentials on server seems like problem as they are almost always plain text.
So if I store them in client browser's ...
- 5
1
vote
0
answers
181
views
Strange cyrus/imaps Logins without valid password
I found apparently successful logins from a foreign ip-address to our cyrus-imap server:
Nov 24 08:16:20 server-1 cyrus/imaps[12101]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits ...
- 11
0
votes
1
answer
466
views
Open IMAP connection using hashed password
I make email client over IMAP protocol. To "remember" user's connection details (email, password, host, etc.) I need to store password in plain text, because otherwise I won't be able to ...
- 103
0
votes
1
answer
2k
views
Could IMAP authentication be adapted to support 2FA?
Theoretically? (If no, why? And if yes, why hasn't it been done?)
- 101
1
vote
2
answers
748
views
Why Thunderbird has private IP address as remote host?
Why Mozilla Thunderbird configured to access Yahoo IMAP server, uses a private IP address, even if there is no other device in the network. Every time, Thunderbird is restarted, it changes remote-host ...
1
vote
2
answers
368
views
Anything wrong with using IMAP as authentication for a web app to achieve a kind of easy SSO?
The idea would be to wrap a server-side IMAP client in a wrapper that transforms IMAP authentication into a web API for authentication (maybe OAuth?). When the back-end application receives ...
- 185
0
votes
1
answer
148
views
Email including self-shredding macro after "Seen" flag is set
Bob sent an email to Alice with nothing much useful and tenuous ( but because it isn't useful it can ruin Bob's reputation if bad Alice decide to publish. )
Is there a way for Bob to include a ...
- 1
39
votes
2
answers
12k
views
How do email clients "send later" without storing a password?
Email clients like Spark for macOS have a feature where a user can send an email later, at any given time, even when the computer is turned off. An SMTP server needs a password based authentication, ...
- 773
0
votes
0
answers
394
views
Watch Encrypted IMAP Responses
I'm trying to see if I can decipher the messages coming back from Exchange when I try and login via secure IMAP.
My office 365 accounts are under attack and I've disabled IMAP (and legacy login) but ...
- 1
7
votes
2
answers
2k
views
Outlook for Android uses intermediate Microsoft Servers
I have an IMAP + SMTP server running on linux, using Dovecot + Postfix.
The server only accepts connections over TLS and uses plaintext authentication once the tunnel is established.
I was auditing ...
user97661
2
votes
2
answers
170
views
Domain offline - are unmaintained email clients a security risk?
I have just unregistered a domain. Now my mail client (Thunderbird) popped up a message saying that it cannot connect to the mail server. That's fine - for the moment.
However, I wonder what would ...
- 3,434
0
votes
1
answer
10k
views
Risks in open POP3/IMAP ports?
I found a domain with open POP3 (110) and IMAP (143) ports. I was able to use TELNET to connect to them successfully, but beyond this is there any common vulnerability/exploit I should test on them, ...
- 501
2
votes
2
answers
2k
views
Finding and attacking an IMAP Server
For a security challenge I am supposed to dictionary attack an IMAP service. A rather simple exercise using hydra.
So far I failed, since I've given hydra the actual website instead of the mail ...
- 123
0
votes
1
answer
2k
views
Why do OpenSSL and Python return different SSL fingerprints?
I use getmail, a tool written in Python, to retrieve my mail via IMAP. Today it suddenly stopped working because it complains about an SSL fingerprint mismatch. (I always specify the fingerprint to ...
- 675
2
votes
1
answer
198
views
How to single key decrypt pgp encrypted mails in a multi key/multi identitiy setup?
For pgp encryption I'd like to combine short expiry terms for public signing and email encryption with (convenient) long term decryption possibilities of my mailbox mails.
I'm using several mail ...
- 21
16
votes
4
answers
16k
views
Does IMAP/POP3/ASP undermine Two-Factor Auth?
When I log in to hotmail or Google or posteo I can only log in using the 2FA that I have set up. However, each provider seems to have an alternative for apps that do not auth via a web client.
...
- 161
8
votes
2
answers
2k
views
Why are common services using implicit SSL not considered obsolete in the way that SMTPS is?
SMTPS (implicit SSL) has been deprecated/obsolete since SMTP+STARTTLS (explicit SSL) was defined in RFC2487. I'm not entirely clear on the reasoning behind that, but it was clearly considered a good ...
- 767
0
votes
1
answer
551
views
What security settings is Yahoo Mail looking for to consider IMAP client secure?
When setting up an IMAP client for Yahoo Mail, Yahoo requires the "Allow apps that use less secure signin" option to be enabled.
The client is configured to use SSL for IMAP (and SMTP).
What ...
- 3,174
6
votes
3
answers
2k
views
Better safety: Webmail or POP3/IMAP email client?
Which offers a higher level of safety: Webmail or using a POP3/IMAP client?
Assume the following for webmail:
Access via HTTPS
Rarely downloading any attachments, but in cases where it may be ...
- 3,174
0
votes
1
answer
250
views
IMAP with authentication set to none
While adding a Mediacom email account into Apple Mail I referenced their page on IMAP settings https://supportstage.mediacomcable.com/print/1446, I noticed that authentication type for incoming email ...
- 133
2
votes
3
answers
2k
views
What is the purpose of opportunistic TLS (like STARTTLS)?
Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate ...
- 7,125
3
votes
1
answer
307
views
Why does my password appear in clear text with my smartphone mail IMAP application?
I am using the default Galaxy 5 mail application to fetch my mail with IMAP.
Packet capture shows my user and password in clear text (see below).
Why does my username and password appear in clear ...
user130454
0
votes
1
answer
522
views
Random persistent Gmail password requests from Google
I am trying to figure out something for my father in law. This persistent popup keeps interrupting anything anyone is doing on his desktop by requesting he put in his password. I told him not to. It ...
- 1
0
votes
2
answers
124
views
Reconcile IMAP4 RFC with No RC4 RFC
RFC 3501 states:
IMAP client and server implementations MUST implement the TLS_RSA_WITH_RC4_128_MD5.
RFC 7465 states:
o TLS clients MUST NOT include RC4 cipher suites in the ClientHello
message
o ...
- 2,215
3
votes
0
answers
564
views
How secure is PHP IMAP? [closed]
I'm working on a project for one of my customers. They want a web environment where the site searches for specific emails for specific users and makes the attachments of those emails accessible to ...
- 31
7
votes
2
answers
988
views
How does Google store passwords for remote IMAP/POP services?
It is possible to add non-Google accounts to Gmail and retrieve their mail messages via POP or IMAP. As part of the setup process, one has to provide the login username and password for these accounts....
- 9,096
2
votes
1
answer
2k
views
Why doesn't outlook 2013 meet modern security standards?
It is required to turn on the allow less secure apps setting in order to be able to use a gmail account with outlook 2013, despite it is using the IMAP and SMTP services with SSL protocol enabled.
...
- 123
8
votes
2
answers
644
views
How can I track someone logged in my gmail account over imap?
Gmail tells me if someone new logged in to the web-interface (device, browser etc.)
But what about IMAP logins?
If someone has my password can he stealthy read my mails over IMAP?
- 81
3
votes
2
answers
476
views
Reading mail from GMail with secure access
I recently implemented PHP code with IMAP for reading mails from a GMail account and further executing some command depending on the mail body. I got this to work after consulting the first answer ...
- 73
5
votes
0
answers
606
views
Should I force Thunderbird to avoid RFC5746 and CVE-2009-3555 security bugs?
I see that the latest version of Thunderbird (38.0.1) still has the defaults set to ignore the error. Is this a big problem? Should I change the defaults to enforce greater security?
Here is ...
- 1,788
3
votes
3
answers
605
views
How webmail's authorisation should work?
I'm building a webmail client (like gmail). It allows the user to browse emails and send them. Under the hood, php uses IMAP and SMTP to talk with email server.
user->webserver->mailserver
When user ...
- 419
2
votes
3
answers
567
views
Fake "FROM" email to allocate to account
We are allocating emails to their online account. We discovered you can send a false email with a script by changing the "from" or "reply-to" in the email header. There must be a safe way to test the ...
- 121
-1
votes
1
answer
1k
views
Why not use md5 auth mechanisms for IMAP over TLS?
I'm using Dovecot for IMAP connections.
I've read a lot of tutorials on how to set up Dovecot, and a lot of them said to only allow:
auth_mechanisms = plain login
Why should I not allow *-md5 ...
- 3,876
1
vote
1
answer
3k
views
Is my Postfix and Dovecot configuration secure?
Today I set up my first server with Dovecot and Postfix.
These are excerpts from the configuration files:
Dovecot:
disable_plaintext_auth = yes
ssl = required
ssl_prefer_server_ciphers = yes
...
- 3,876
3
votes
1
answer
272
views
Opening mail from IMAP with no risk for the user
I'm building a website for an association. Its aim is to, out of other thing, provide an easy mail manager to communicate with the member, stored in a database. This database is always up to date as ...
- 131
80
votes
3
answers
88k
views
What are the dangers of allowing "less secure apps" to access my Google account?
According to https://support.google.com/accounts/answer/6010255:
Google may block sign in attempts from some apps or devices that do not use modern security standards. Since these apps and devices ...
- 906
11
votes
3
answers
15k
views
How to store passwords securely in my server?
Disclaimer: I know I should use bcrypt to securely store user's passwords. Please, keep reading.
I want to store credentials for several email services for each user. So if I log in with my username ...
4
votes
1
answer
2k
views
Do the BEAST and CRIME attacks apply to an IMAP service?
While setting up the Dovecot IMAP service, I noticed that the default parameters are not optimal, it allows SSLv3 for example. Using Thomas Pournin's TestSSLServer.java program, I saw the following:
....
- 6,098
1
vote
1
answer
2k
views
Distributed IMAP-Dictionary-Attack-Tool?
I have a client with a hacked IMAP-Account, and the attacker(s) made thousands of password-attempts, probably with a fixed set of passwords, from different IPs before they got in.
After successful ...
- 3,494