top | item 28087156

(no title)

FreakyT | 4 years ago

To be fair, it’s the security team’s idiotic position on IMAP that prompted the parent commenter to find a workaround.

It’s like how having super draconian password reset and complexity requirements ends up being less secure because users will start writing their impossible-to-remember passwords on post-it notes.

discuss

yunohn|4 years ago

There’s a big difference between password reset rules, and giving third-parties access to emails and calendar.

There is nothing draconian about restricting IMAP - any app could exfiltrate confidential emails once granted access. It’s a very sane rule to disallow everything except webmail or first party apps.

beprogrammed|4 years ago

It's a terrible process for the users. And as we can see what did it get them, a third party logging into there webmail.

The service is protected with a username and password, didn't matter if it was IMAP or webmail.

jabroni_salad|4 years ago

The IMAP blocking is for different draconian reasons. Office365 does not support Modern Auth with IMAP, which is considered a security baseline now.

corty|4 years ago

Office365 supports Kerberos with IMAP, which would be the proper thing to do anyways. Giving passwords to a browser or email application is wrong.

nerf_javascript|4 years ago

It's the complete opposite, Office365 only supports OAuth with IMAP and is phasing out/has phased out Basic Auth for IMAP. Additionally more often than not organizations are actually running Microsoft Exchange under the hood -- the majority of MS Exchange servers have Basic Auth disabled for IMAP (I believe since 2017 it's been off by default).

zerocrates|4 years ago

I'm pretty sure they do? I definitely set up a O365 account in Thunderbird using IMAP and OAuth, which I assume is sufficiently "modern auth."