It is in plain text if you tell it to be... Just like POP3-- it is part of
the IMAP4 spec, but it can use NTLM. You can easily require SSL/TLS (TCP
993) in the config of the IMAP4 virt server, though. By default, basic
authentication (standard IMAP auth in clear) as well as SASL (Simple Auth
and Security Layer) are enabled -- SASL's default mechanism is NTLM, so that
is an option if you are satisfied enough with NTLM encoding.
IPSec is an option as well-- though I would use certs if you must have
internal IMAP access to EX and require SSL. You can create a CA on your DC
(or stand alone if you wish, but you would want an Enterprise Root CA) and
automatically push out certs via GPO.
hth
T
----- Original Message -----
From: <tigerblue (at) puzzleapuma (dot) de [email concealed]>
To: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Monday, July 19, 2004 5:22 AM
Subject: security M$ exchange2003 imap4
>
> Hi,
>
> Does anybody know which security is implementet for the imap4 login for
> the microsoft exchange 2003 when a domain user try´s to connect the
> exchange via imap4 ? Is the user-logon transfered in plain via the
> network ? Is there a way to secure the authentication ?
>
> best regards
>
> tigerblue
>
> sysadmin
>
> ------------------------------------------------------------------------
--
-
> ------------------------------------------------------------------------
--
-
>
>
the IMAP4 spec, but it can use NTLM. You can easily require SSL/TLS (TCP
993) in the config of the IMAP4 virt server, though. By default, basic
authentication (standard IMAP auth in clear) as well as SASL (Simple Auth
and Security Layer) are enabled -- SASL's default mechanism is NTLM, so that
is an option if you are satisfied enough with NTLM encoding.
IPSec is an option as well-- though I would use certs if you must have
internal IMAP access to EX and require SSL. You can create a CA on your DC
(or stand alone if you wish, but you would want an Enterprise Root CA) and
automatically push out certs via GPO.
hth
T
----- Original Message -----
From: <tigerblue (at) puzzleapuma (dot) de [email concealed]>
To: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Monday, July 19, 2004 5:22 AM
Subject: security M$ exchange2003 imap4
>
> Hi,
>
> Does anybody know which security is implementet for the imap4 login for
> the microsoft exchange 2003 when a domain user try´s to connect the
> exchange via imap4 ? Is the user-logon transfered in plain via the
> network ? Is there a way to secure the authentication ?
>
> best regards
>
> tigerblue
>
> sysadmin
>
> ------------------------------------------------------------------------
--
-
> ------------------------------------------------------------------------
--
-
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]