Disable unencrypted authentication on "TLS" ports
Idea shared by Colin M - 9/22/2020 at 6:15 AM
SmarterMail has a feature for the SMTP protocol "Disable AUTH LOGIN method for non-SSL SMTP authentication", but it doesn't have a similar setting for IMAP.

Even when your bindings are setup to not have any "Encryption: None" ports, if you have "Encryption: TLS" ports, the server still allows IMAP to authenticate over an insecure connection because "TLS" in this case really means "insecure+STARTTLS".

Unfortunately, with no way to enforce this it is possible (and likely in my experience) for users to configure their clients improperly so I have some clients using IMAP over an insecure connection which is REALLY BAD.

Please add a similar option for IMAP and POP protocols. The result should be that an error is returned when a connection tries to issue any commands other than STARTTLS.

Reply to Thread