Is the POP3 email protocol insecure (even with TLS)?
June 14, 2012 1:07 PM   Subscribe

Is the POP3 email protocol insecure (even with TLS)?

I work for a large organization, and our IT department has recently stopped supporting the POP3 protocol for email, in favor of MAPI and IMAP. They say that they can't allow POP3 for security reasons, but won't elaborate on the precise nature of their concern. Is POP really such a security problem, even with SSL/TLS and encrypted passwords? What makes MAPI and IMAP so much more secure? Any guesses about what my IT department is really trying to accomplish here?
posted by epimorph to Computers & Internet (16 answers total) 6 users marked this as a favorite
 
It's probably not the security of the login, if they indeed have SSL/TLS enabled. It's probably more an issue of security regarding the e-mail content itself.

POP3 is different than MAPI/IMAP fundamentally because the messages are not retrieved and removed from the server in MAPI/IMAP, but they are with POP3. This means it's easier to lose e-mail in POP3 environments because it gets permanently removed from the server.
posted by odinsdream at 1:10 PM on June 14, 2012


Thanks, odinsdream! If they're worried about retaining emails, is there no way the IT folks could tell the server to retain emails even after they're downloaded via POP3?
posted by epimorph at 1:15 PM on June 14, 2012


it's easier to lose e-mail in POP3 environments because it gets permanently removed from the server.

All the POP3 clients I've ever used of my experience have an option to leave the mail on the server.

Epimorph, maybe your IT department doesn't like that POP3 duplicates message content on the client computer. This makes it impossible to enforce email retention / deletion policies.

I believe that other mail protocols store the messages in a centralized fashion on the mail server, so that messages can be deleted, archived, or recalled by the administrators.

This is my guess because I once used POP3 in an Exchange shop and got to see some interesting message that execs later tried to recall...
posted by Sauce Trough at 1:20 PM on June 14, 2012


I talked to a client recently who disallowed POP3 and scoffed when I asked about it. So I don't think this is uncommon, but I like IMAP anyway so I never asked why.

I switched to IMAP back when I was using POP3 all the time, saying, "I just tell it to leave my mail on the server," until one day, on one email client, I forgot to tick that little box and all of my mail was now on that one box, and no longer on the server for me to browse from a different computer later.

Sigh.
posted by circular at 1:27 PM on June 14, 2012 [1 favorite]


All the POP3 clients I've ever used of my experience have an option to leave the mail on the server.

And one user mis-configuring their client results in a complete loss of server e-mail.

IMAP is really a much, much better protocol. POP3 comes from the age when your mail server was literally like a post office box. Your local system would mozy along and pick up some mail, say thank you, and go about its merry way. There was no notion of supporting multiple devices, mobile phones, webmail, and implementing retention policies.
posted by odinsdream at 1:27 PM on June 14, 2012 [1 favorite]


Also forgot: I don't belive POP3 allows server-side folders. Maybe that's changed since, but now that I use folders all the time, I can't imagine what an annoyance that would be.
posted by circular at 1:28 PM on June 14, 2012


Correct, folders are not part of the POP3 spec.
posted by odinsdream at 1:34 PM on June 14, 2012


Thanks for the answers! I had a feeling that the IT department's new policy was self-serving in one way or another, and wasn't really about security. In light of the answers, my guess is that the policy has to do with my employer covering its ass in case of a lawsuit (by retaining all the communication), and is not at all about any technical problems or usability.

As for my preference for POP, I have multiple email accounts, and I like organize the messages based on the content, rather then the account to which they arrive, and I also like to keep copies on my machine. Using POP seems to be the most convenient way to accomplish this.
posted by epimorph at 1:53 PM on June 14, 2012


"Security" is the excuse some IT folks use when they have a better reason but don't want to spend the time bringing someone from outside IT up to speed on the background it would require to understand the real reason. Especially if management is doing the asking. Unfortunately, it's also the excuse they use when they don't have a good reason, aside from just not wanting to do something.

Either way, what they're probably trying to accomplish here is for you to go away and stop asking awkward questions.
posted by hades at 1:55 PM on June 14, 2012


As for the reason you prefer POP, what mail client do you use? You ought to be able to create a local mail store on your machine and copy messages from multiple IMAP accounts into any folder structure you want in your local folders.
posted by hades at 1:58 PM on June 14, 2012


I wouldn't hesitate to switch to IMAP. As olinsdream pointed out, it's much, much better and can likely do whatever you have POP doing right now.

In light of the answers, my guess is that the policy has to do with my employer covering its ass in case of a lawsuit (by retaining all the communication), and is not at all about any technical problems or usability.

I don't know...it's just as likely that IT had somebody accidentally remove every one of their emails from the server and got reprimanded for allowing that to happen. :-)
posted by circular at 2:01 PM on June 14, 2012


I use Thunderbird, and I do indeed have various filters that move all the messages to the same inbox, and perform other sorts of manipulations. This gets me pretty much what I want, but I still find this setup to be a much more clumsy way of allowing me to mange my emails the way I want than just using POP, in part because of limitations on what can be accomplished with filters in Thunderbird.
posted by epimorph at 2:13 PM on June 14, 2012


I think it's very likely that the company is switching to IMAP for the security of retaining emails, but it's worth noting that there are some secure challenge-response authentication mechanisms for POP3 (and IMAP) that require passwords to be stored on the server in plaintext.

APOP is one, and some implementations of CRAM-MD5 do it as well. Under these schemes, your password cannot be acquired by anyone eavesdropping on the Internet because it's never transmitted over the internet, but can be easily found by anyone with access to the server.
posted by RonButNotStupid at 3:19 PM on June 14, 2012


I think you may have missed my point that security is a much larger topic than whether your password is sent in the clear. If you work for a "large organization" then security most definitely covers making sure users don't lose e-mail because of a mis-configured client.

As others noted, IMAP instead of POP should have no bearing on how you organize your local e-mail at all, even with Thunderbird. It's unclear what problem you're actually having. You could ask another question shortly to get more help on your filtering issue.
posted by odinsdream at 6:00 PM on June 14, 2012


Another possibility is that your org's POP3 server is old and no longer maintained or supported by its vendor, or something along those lines, so it is insecure or potentially insecure, and they don't want to find and maintain a new one because it's a bunch of work for little gain.
posted by hattifattener at 12:08 AM on June 15, 2012


In light of the answers, my guess is that the policy has to do with my employer covering its ass in case of a lawsuit (by retaining all the communication), and is not at all about any technical problems or usability.

If you work for a publicly traded American company, then at least some of your emails have to be retained to comply with Sarbanes-Oxley.
posted by atrazine at 2:58 AM on June 15, 2012


« Older Projects vs. Next Actions   |   Creative ways of including family and friends in a... Newer »
This thread is closed to new comments.