Cyber risk resources
[IMAP] Who can read your mail? IMAP without SSL

[IMAP] Who can read your mail? IMAP without SSL

Exposed email services can pose a serious problem to your organization’s security.

BLUF: IMAP (Internet Message Access Protocol) is a protocol used to access and manage email messages on a mail server. When IMAP is used without adding SSL (Secure Sockets Layer), the communication between the email client and the mail server is unencrypted, which means that anyone who can intercept the traffic can read the messages and even modify them.

Here are some reasons why IMAP should be protected by SSL:

Confidentiality: When SSL is used to encrypt IMAP traffic, the contents of the messages, including any sensitive information such as corporate intellectual property or wiring instructions, are protected from eavesdropping and interception by third parties.

Integrity: SSL also ensures that the messages remain intact and have not been tampered with during transmission. Imagine someone replacing each wire instruction with a doctored PDF that has THEIR routing and account number! This is important to prevent malicious actors from modifying the messages or injecting malware into them.

Authentication: SSL provides a mechanism for verifying the identity of the mail server, which helps to prevent man-in-the-middle attacks. Without SSL, it is possible for an attacker to impersonate the mail server and intercept or modify messages.

Compliance: Many organizations are required by regulations such as HIPAA or GDPR to protect the confidentiality and integrity of email messages. Using SSL to secure IMAP traffic helps to meet these requirements.

Overall, protecting IMAP with SSL is an important security measure to ensure the privacy, integrity, and authenticity of email messages.

Guidance and recommendations to secure IMAP and POP

The mail services typically seen on IMAP servers should be configured in the most restrictive way possible if you cannot move to cloud providers. Commercial mail providers allow organizations to require MFA, to send messages encrypted with SSL by default, to enable robust logging with one click, to audit mailboxes regularly, and so on. 

The drawback with IMAP/POP as a standalone mail service is that each setting must be configured individually. The trade-off is flexibility; organizations who wish to self-host or configure their mailbox to present this information from showing. Forcing IMAP over TLS on port 993 or STARTTLS is a basic improvement on the base service. For a long time the easy mistake of transmitting passwords in plain text (due to poor configuration) made IMAP a very likely source of company data leaks.

Steps to Lock down your Mail Services:

  • Configure firewall rules to prevent direct remote access to IMAP servers
  • Enable MFA as widely as possible for remote access 
  • Send all messages and traffic with encryption 
  • Follow a Zero Trust approach and deny any remote access without MFA
  • Enable robust logging for all IMAP user activity and remote access
  • Audit the mailbox settings and logs regularly, look for forwarding rules
  • If necessary, disable end-user access to these legacy email services entirely and require they access email via their browser over HTTPS