1

In a corporate environment running Exchange and Outlook clients connecting to it why do server administrators not allow IMAP to be turned on for those that would like to connect to the server using IMAP?

I'm assuming the simple answer is port attacks and please excuse my naivety but does Exchange not suffer the same problems or is it because its behind the firewall and within the corporate network?

UPDATE: Thanks for the replies. Can anyone confirm that if IMAP was turned on there would be a susceptibility to outside attacks?

Jon
  • 149
  • 2
  • 6
  • 3
    You'd have to ask *your* administrators, who I assume have done this. Not everybody does this. In our environment we allow external IMAP connections. To understand why its not allowed in your environment you'd have to ask whoever made that decision. – ThatGraemeGuy Nov 22 '11 at 10:19
  • 1
    @Jon: Every open service has a certain risk. What is your problem anyway? – Sven Nov 22 '11 at 11:38
  • I would like to propose to the management and IT staff that IMAP be turned on. If there is a new risk of outside attack it wont be in my favour. If Exchange is already open to attack (and I dont know the answer to that) then its not so bad – Jon Nov 22 '11 at 12:15
  • @Jon: This is nonsense. If you come to me and tell me I should open another service (in other words: an additional attack vector) because the one I am running is already open to attacks, I hope you will forgive me if I don't take you serious in any way... – Sven Nov 22 '11 at 12:48
  • Just trying to spin the argument :) – Jon Nov 22 '11 at 13:16
  • 1
    @Jon You're not doing a very good job of it. I don't know what it is that you do, but I'd imagine you wouldn't take kindly to the IT staff showing up at your desk and trying to "spin" arguments for you to do your job differently. If data security, end user support, or exchange management aren't in your job title then you're really not in a position to do anything except piss off the people that run your critical services. – MDMarra Nov 22 '11 at 13:52
  • 2
    One major consideration is that if users are using mobile devices, they will be required to use activesync to access email on their device. This allows devices to be remote wiped if they are stolen. You can't do this with IMAP. That's just one of dozens of things that you aren't getting paid to have to know about. Focus on your job and let your IT department do theirs. – MDMarra Nov 22 '11 at 15:18
  • I think this is an excellent question, and the OP has been subjected to a lot of quite aggressive responses that are not warranted. We're supposed to make people want to use serverfault. My comment (can't answer in question's current state): Traditional IMAP sends username and password in clear text. That's the primary security concern. 'IMAPS' gets around that. – Chalky Jun 26 '16 at 22:18

4 Answers4

8

The main reason is likely that they have decided on Outlook or Outlook Web Access as the only supported client, which can make sense in some environments.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • Would there be any additional support and maintenance if it were turned on. Is my assumption about port attacks correct? – Jon Nov 22 '11 at 10:03
  • 2
    Well, it might be, but that would not necessary be my only concern: IMAP clients are not supported and there is no better way of telling your users this as simply turning IMAP off. Otherwise people try to be clever, have problems in their setup or create them in some way with some bad configurations and create support incidents. – Sven Nov 22 '11 at 10:09
3

My opinion is that's it's probably due more to supportability than security. Enabling IMAP (and/or POP) means that the administrator has to manage several connection types to the Exchange server, which then inevitably increases the number of support calls from users and broadens the scope of managing and supporting those clients. A support call would consist of:

Determining the connection type

Verifying the connection settings for that connection type

Verifying authentication methods and credentials

Verfifying that the protocol in question (IMAP and/or POP) is enabled for the user

Testing for client side firewalls that may be blocking that connection type (IMAP and/or POP ports, not to mention SMTP for sending email)

etc., etc.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
2

I believe system administrators just deem imap unnecessary considering that they'll have less issues if they allow only Exchange.

It's also a better way to make sure that everyone will have access to all the features (calendars, meetings, folders, etc) that exchange provides. (not that they are impossible to provide via IMAP, just that there are several implementations to those services, as opposed to the integrated solution provided by Exchange and it's main clients, Outlook and mobile devices.

This being said, i usually connect to our exchange 2007 with the aid of software such as davmail, which allows me to use the clients that i find most suitable on my platform of choice. Without requiring that the admin gives me support for this. As you can imagine the IT admin would have much more work if it were to support both IMAP and exchange, with a wider range of possible configurations / clients, in addition to the aforementioned complications with features.

Bruno Flávio
  • 176
  • 3
  • 8
0

In theory, yes, opening IMAP is a security vulnerability, as is opening any port on a firewall. Somewhere there may be an exploit that uses IMAP to attack Exchange. I've never seen one, but one may exist.

It is a greater maintenance burden insofar as I now have to monitor the Exchange IMAP service, and engage in troubleshooting issues with user connection.

Driftpeasant
  • 3,217
  • 2
  • 22
  • 28