 | |  |
16.7. Internet Message Access Protocol (IMAP)
IMAP, [65] like POP, is a protocol
used by mail user agents to retrieve mail, for a specific user from a
server. IMAP is a more recent protocol providing more flexibility,
including support for multiple mailboxes for each user. POP is
commonly used to transfer all messages in a single mailbox to the
client from the server; IMAP is designed to store messages on the
server, allowing them to be copied and manipulated by the client.
IMAP is a much more capable protocol than POP and correspondingly is
harder to implement securely.
Otherwise, the security implications of IMAP are much like the
security implications of POP. IMAP does allow for nonreusable
passwords, but not all IMAP servers and clients support them.
Similarly, an Internet standard is evolving that will allow IMAP to
use TLS to support the encryption of messages as they pass between
the server and client, but currently few servers and clients support
this option. There is also an assigned port for IMAP over SSL, which
is supported by a slightly larger number of clients and servers.
Unless you control the IMAP servers and have configured them to
require nonreusable passwords and data encryption, or you are
restricting connections to IMAP over SSL, you should assume that IMAP
is passing reusable passwords and unencrypted data.
16.7.1. Packet Filtering Characteristics of IMAP
IMAP uses straightforward TCP connections to port 143 and is
therefore easy to allow through packet filters. IMAP over SSL
currently uses port 993, but an earlier convention uses port 585.
Several variants of IMAP are in use (you may see variants described
as "v2" or "rev4", for instance), but all
IMAP versions in wide distribution use the same port.
|
Direction |
SourceAddr. |
Dest.Addr. |
Protocol |
SourcePort |
Dest.Port |
ACKSet |
Notes |
|
In |
Ext |
Int |
TCP |
>1023 |
143 |
[66]
|
Incoming IMAP connection, client to server |
|
Out |
Int |
Ext |
TCP |
143 |
>1023 |
Yes |
Incoming IMAP connection, server to client |
|
In |
Ext |
Int |
TCP |
>1023 |
993, 585[67]
|
[66] |
Incoming IMAP over SSL connection, client to server |
|
Out |
Int |
Ext |
TCP |
993, 585[67] |
>1023 |
Yes |
Incoming IMAP over SSL connection, server to client |
|
Out |
Int |
Ext |
TCP |
>1023 |
143 |
[66] |
Outgoing IMAP connection, client to server |
|
In |
Ext |
Int |
TCP |
143 |
>1023 |
Yes |
Outgoing IMAP connection, server to client |
|
Out |
Int |
Ext |
TCP |
>1023 |
993, 585[67] |
[66] |
Outgoing IMAP over SSL connection, client to server |
|
In |
Ext |
Int |
TCP |
993,585[67] |
>1023 |
Yes |
Outgoing IMAP over SSL connection, server to client |
[66]ACK is not set on the first packet of this type
(establishing connection) but will be set on the rest.
16.7.2. Proxying Characteristics of IMAP
IMAP is a straightforward protocol to proxy, since it uses a single
TCP connection. There do not appear to be any IMAP-specific proxies
available at this time, but generic proxies will work with IMAP
(without providing any strong security guarantees).
16.7.3. Network Address Translation Characteristics of IMAP
IMAP does not use embedded IP addresses and will work with network
address translation without problems.
16.7.4. Summary of Recommendations for IMAP
- Do not allow your users to transfer your site's mail over the
Internet via IMAP, unless you have configured your IMAP server to
require nonreusable passwords and encrypted data.
- If you have users who wish to transfer mail from other sites via
IMAP, allow it via packet filtering, perhaps restricted to
connections from specific sites or to specific hosts on your
end.
|  | | | 16.6. Post Office Protocol |  | 16.8. Microsoft Messaging API |
|
|
