10 hoursSomeone who’s still using POP instead of IMAP4 probably hasn’t updated their setup in 20 years.
This is a good reminder to use the secure ports for IMAP (993) and SMTP (465). Don’t use ports that use opportunistic TLS (STARTTLS), which are 143 for IMAP and 587 for SMTP. These start unencrypted and switch to using encryption once the server says it supports it. An attacker can just modify the response and say the server doesn’t support encryption, in which case the connection will remain unencrypted. https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations
You can force encryption on the client side… but then you may as well just use the port that’s always encrypted.
(yes, I know that the TLS handshake isn’t encrypted either)
- pHr34kY@lemmy.worldEnglish9 hours
Forcing encryption reduced my spam by about 99%. Spambots almost never have certificates.
It also prevented email being delivered from Nintendo, because they can’t tie two network wires together.
- Tetsuo@jlai.luEnglish5 hours
In my experience, no large business would decide to only accept encrypted inbound SMTP. So as usual with SMTP you try to handle the worst clients sending you mail with nothing security wise (no DKIM, no SPF, no TLS) and still try to filter all the spam out of it and that’s about it.
And I acknowledge the effort from google to push the security to get better but even then nobody wants to accept to miss a few dirty emails for the sake of security.
The stance is unfortunately to never be the one refusing emails even when they are absolutely and completely unsecured. It really sucked being an admin on that kind of systems. SMTP is one of the worst protocols I have ever seen so widely used and there is still this idea that you should accept mail even when they dont fully respect the basic security requirements Gmail has made mandatory.
Most of the time the higher ups didn’t seem to care about the confidentiality of mails received.
In my experience, no large business would decide to only accept encrypted inbound SMTP
For submission (connections coming from users that have an account on the server) or for relay/target (connections coming from other email clients)? All email clients support encryption so I think requiring encryption for submission is reasonable. Server-to-server (port 25) can’t have it enforced though, like you said.
SMTP is one of the worst protocols I have ever seen so widely used
It’s from a era where everyone trusted everyone else. All connections were unencrypted, spam protection and rate limiting weren’t needed, and security really wasn’t on people’s minds. Modern security and spam protection is hacky because it’s built on top of protocols that weren’t designed for it.
The other major issue with old protocols is that they’re stateful. Modern protocols are mostly stateless since it’s generally easier to deal with. They’ve also had more and more features hacked into them over time, so the specs are enormous.
There’s been one major attempt at modernizing it: JMAP. It’s stateless, uses JSON, and intends to replace both IMAP and SMTP. FastMail started the project. https://jmap.io/why-jmap/
However, they’ve only looked at the “easier” part to replace: Communication between a user and their email server. They’re not looking to replace server-to-server communication at all.
My mail provider optionally supports this. They have a subdomain with an SMTP server that rejects unencrypted connections, I just have to hand out …@secure.mailbox.org instead of …@mailbox.org as my mail address.
- corsicanguppy@lemmy.caEnglish10 hours
Someone who’s still using POP instead of IMAP4 probably hasn’t updated their setup in 20 years.
You’ll understand one day that pop3s has its uses for certain situations.
Can you explain what they are? I’m curious what POP3 offers that IMAP4 doesn’t.
I’ve used that on automated systems. No need to worry about email quota and everything incoming is single-use input for other systems so there’s no need to store messages on the mail server. Sure, you could do that with imap too, but pop3 clients usually don’t leave messages on the server by default, so there’s no need to delete them separately.
Other case might be to pull the emails from email provider servers so that provider can’t use your emails later. For example if you’re an journalist you might not want to have your emails stored with a 3rd party. Or maybe you’re using some free tier email provider with a very limited quota, which was generally the use case for pop3 before everyone got practically unlimited quota.
On my personal account I of course use imap since I’ve got multiple devices but pop3 isn’t quite dead yet.
I’ve used that on automated systems. No need to worry about email quota and everything incoming is single-use input for other systems so there’s no need to store messages on the mail server
You can do this with IMAP as well, you just need to delete and expunge the emails. Any good email client or library will have an option for this.
POP is literally just downloading all the emails, then deleting them. That’s it.
You can’t have a script that only downloads emails that match a search (for example emails from a particular sender), since POP doesn’t support search. A basic use case is to check for bills/invoices from certain companies and import them into an accounting system, while leaving other emails untouched.
You can’t receive emails in real-time and have to instead poll, since POP doesn’t support real time notifications. IMAP supports IMAP IDLE.
If you have rules that filter emails into folders, you can’t download them via POP, as it doesn’t support folders.
For automated systems, if you don’t want to store the emails, you can configure the email server to pipe the emails directly to a script. That way they’re not stored at all, and your script gets them immediately rather than having to poll.
You can do this with IMAP as well, you just need to delete and expunge the emails
Yes, as I mentioned, but it’s still extra step you need to manage. Not a big one, but extra step anyways.
For automated systems, if you don’t want to store the emails, you can configure the email server to pipe the emails directly to a script.
Which is not always an option. You could have the script running on your laptop which isn’t always connected, for example.
I’m well aware of the differences. I’m just saying that there’s still use cases where pop3 has it’s benefits over imap and discarding it as an ‘old technology’ isn’t always the best route. I’m running my own email server for friends and family and I still have pop3 enabled just in case someone has one of those scenarios where it makes sense to use it.
I used to use POP for some situations, but the protocol is extremely limited. I don’t think there’s anything POP can do that IMAP can’t.
- ranzispa@mander.xyzEnglish7 hours
You want encrypted communications? Don’t you worry, just let me start netcat and you’re good!
