Internet Message Access Protocol (IMAP)
IMAP,[65] like POP, is a protocol used by mail user agents to retrieve mail, for a specific user from a server. IMAP is a more recent protocol providing more flexibility, including support for multiple mailboxes for each user. POP is commonly used to transfer all messages in a single mailbox to the client from the server; IMAP is designed to store messages on the server, allowing them to be copied and manipulated by the client. IMAP is a much more capable protocol than POP and correspondingly is harder to implement securely.[65]This acronym is sometimes also expanded to "Interim Mail Access Protocol".Otherwise, the security implications of IMAP are much like the security implications of POP. IMAP does allow for nonreusable passwords, but not all IMAP servers and clients support them. Similarly, an Internet standard is evolving that will allow IMAP to use TLS to support the encryption of messages as they pass between the server and client, but currently few servers and clients support this option. There is also an assigned port for IMAP over SSL, which is supported by a slightly larger number of clients and servers. Unless you control the IMAP servers and have configured them to require nonreusable passwords and data encryption, or you are restricting connections to IMAP over SSL, you should assume that IMAP is passing reusable passwords and unencrypted data.
Packet Filtering Characteristics of IMAP
IMAP uses straightforward TCP connections to port 143 and is therefore easy to allow through packet filters. IMAP over SSL currently uses port 993, but an earlier convention uses port 585. Several variants of IMAP are in use (you may see variants described as "v2" or "rev4", for instance), but all IMAP versions in wide distribution use the same port.| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
| In | Ext | Int | TCP | >1023 | 143 | [66] | Incoming IMAP connection, client to server |
| Out | Int | Ext | TCP | 143 | >1023 | Yes | Incoming IMAP connection, server to client |
| In | Ext | Int | TCP | >1023 | 993, 585[67] | [66] | Incoming IMAP over SSL connection, client to server |
| Out | Int | Ext | TCP | 993, 585[67] | >1023 | Yes | Incoming IMAP over SSL connection, server to client |
| Out | Int | Ext | TCP | >1023 | 143 | [66] | Outgoing IMAP connection, client to server |
| In | Ext | Int | TCP | 143 | >1023 | Yes | Outgoing IMAP connection, server to client |
| Out | Int | Ext | TCP | >1023 | 993, 585[67] | [66] | Outgoing IMAP over SSL connection, client to server |
| In | Ext | Int | TCP | 993,585[67] | >1023 | Yes | Outgoing IMAP over SSL connection, server to client |
[66]ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.
[67]993 is the current standard, but some older implementations use 585.
Proxying Characteristics of IMAP
IMAP is a straightforward protocol to proxy, since it uses a single TCP connection. There do not appear to be any IMAP-specific proxies available at this time, but generic proxies will work with IMAP (without providing any strong security guarantees).Network Address Translation Characteristics of IMAP
IMAP does not use embedded IP addresses and will work with network address translation without problems.Summary of Recommendations for IMAP
- Do not allow your users to transfer your site's mail over the Internet via IMAP, unless you have configured your IMAP server to require nonreusable passwords and encrypted data.
- If you have users who wish to transfer mail from other sites via IMAP, allow it via packet filtering, perhaps restricted to connections from specific sites or to specific hosts on your end.