Skip to content

Should you have IMAP enabled?

#Cyber Security#Google Workspace#Security

A description of the IMAP functionality and why administrators may want to consider disabling it on the domain.

A description of the IMAP functionality and why administrators may want to consider disabling it on the domain.

This article is written by Pablo Savva, Customer Success Team at Devoteam G Cloud

Contents

  1. What is IMAP and why would it be enabled
  2. What changed?
  3. Other than the logging in, why is IMAP an issue to use?
  4. Ok we should disable it, but what will break?

1. What is IMAP and why would it be enabled

IMAP and POP were popular when internet connections on devices were less reliable and you would need to “top up” what emails were on your devices.  At this point, it was also when mailboxes were closer to 50-80 mb in size in total so it was not as difficult to store all mail on a device and just top up changes.

IMAP was also considered a standard protocol for all mailbox hosting servers to provide connections to different mail clients, devices or services, made popular by Microsoft’s Active sync.

This standard meant there was no vendor lock-in for server and devices that must be bought, an example of a service not using mail syncing standards at this time was Blackberries BEZ server, the only devices that would be able to use this protocol were blackberries devices.

2. What changed?

IMAP became part of the Activesync protocol (IMAP, vCAL and CardDav) this was the next evolution to just using IMAP.  This also included some BASIC policies like pin enforcement but they were very basic.  Google then used this open-source protocol and added a few more policies that android phones would follow, like encryption and device wipe, Google Sync was backwards compatible with activesync.  You must also remember that active sync only applied to mobile devices not desktop mail clients and things like printers and scanners there were/are still many devices that just connect through IMAP.

On this note, for the reasons mentioned in this section and the section below Google has discontinued Google Sync since early 2013 for all consumer Gmail accounts, in the hope that enterprise workspace customers would follow.  You can see the original announcement here.

The technology out evolved the standard, as mail got more feature-rich so did the clients and the authentication methods.  The main part is the use of having passwords for each service you use, SSO has meant we can use one password for all of our (SaaS) apps and IMAP can not support this, which means you still need a Google mail specific password to use.

Security also increased, as these days we know that having just a single string password to access an account can be less secure and so 2-Step/Factor authentication has been introduced into most/all accounts including now consumer accounts.  By enabling 2-step it means that IMAP would stop working, for this reason, Google added a feature called “application specific passwords” this means you can create a long 16-character unique password for each device that uses IMAP. However by using this you are reintroducing a small security weakness as anyone who has this does not need your 2-step code.

Google’s machine learning algorithms that workout users’ behaviours, what devices they are logged into and from what geographic locations are all affected by using App specific passwords for IMAP as the user will often need to enable “Less secure apps” the main app being IMAP.  This needs to be enabled as non-humans will be using the login details, causing Google’s ML to identify suspicious logins that must be impeded so that IMAP applications can carry on working. Google has been trying to disable the use of Less secure apps for a while now as stated here and here but due to Apple devices using IMAP it has proven quite difficult. 

3. Other than the logging in, why is IMAP an issue to use?

Let’s say we have an authenticated device using IMAP and it’s been working great so far, why do I need to change it? The real kicker is administration.  The beauty of a cloud-based workplace is that the data is hosted, this means all your DLP, Security policies, access monitoring, sharing and account policies can be set in the Google admin console and apply to all the data in all your user’s accounts.

Once this data is being stored locally on a device (sometimes in clear text but we can not tell when using IMAP) these accounts-based policies become less effective.  Let’s take an example, a laptop or phone was stolen from a staff member (it could be a personal laptop without a password because IMAP is not restrictive), if users are using the Google mail web UI or the Mobile App then the data will not be stored on the local device in a readable format. However, if they were using Outlook, Apple Mail, or Thunderbird that locally stored mail can (and quite often is) stored in plain text on the device and so can be retrieved.

The other issue is auditing or securing data in users’ accounts, for example if, in the rare event, a phishing email did end up in some users inbox, Google’s security investigation tool can allow admins to isolate that email and pull it out of anyone else that had also received that email, however if the user has IMAP it’s up to the mail client if it keeps that email or not for the end user to see and will be majorly delayed if it is removed as it will need to be on a sync (which can be anywhere from a few minutes to days).

From a user perspective, users will not be able to report phishing and spam when using IMAP or 3rd party mail applications, meaning the corporate spam service in Gmail will not learn the company-specific  phishing attacks and spam to be able to prevent them from reaching end users in future.

Vault retentions may also not be adhere to as the device using IMAP can manage what data is cleared from the mailbox at its own will without having to adhere to the domain’s policy and even if it does as long as that device is not connected back to the internet the mail can be stored in a method that can be retrieved with local access to the device mitigating the Vault retention purge rule.

From a device perspective, because the user is using an email address and password and not Oauth to connect to the device, no policies can be enforced on the device at all as no device information is relayed back to Google when connecting via IMAP and so anyone can access any mail on any device. Theoretically someone could log into outlook on a windows 98 internet cafe computer and Google admins would be none the wiser. This also means that we can not ensure that there is at least full device encryption or a password on the machine syncing all mail through IMAP.

For the reasons above Google chose to stop supporting Google/Activesync back in 2013 for consumer accounts as announced here.

4. Ok we should disable it, but what will break?

Here is a list of scenarios that are typical for IMAP connections.

  • Apple iOS and MAC Mail including extra functionality on Apple watch and Car play.
  • Automated mail services like Printers that send out emails or perhaps systems that send out scans or receipts.
  • PAs often use IMAP login to be able to see their manager’s accounts as you can not use mail-delegated access from the Gmail app.

For the most part, if you are mainly on a SaaS platform there will be very few legacy applications or servers using IMAP, the main blocker is often getting users off Apple mail.

A list of all users, if they have IMAP enabled and the last time IMAP did a sync can be obtained from the Admin console, please contact your Customer Success manager for help retrieving this information.

Google now offers “iOS sync” as a method to use native mail applications on iOS devices that mean you can disable IMAP and POP but allow iOS sync for Apple devices to carry on working.  However it is still strongly recommended to use Gmail apps for the following reasons.

  • All users with the same experience no matter what device which makes support considerably easier.
  • Apple mail does not support AMP mail formatting at the time of writing this article. (used to live update emails with new comments and changes) this website shows supported mail clients.
  • The Gmail app will always support the latest and greatest features.
  • The Gmail app includes Meet video call capability.
  • The Gmail app can (optionaly) include Chat.
  • Gmail allows users to set settings like OOO or signatures.
  • Gmail allows users to report spam and phishing messages.
  • With new iOS management you can deploy the gmail app to all iOS users.
  • Forces users to authenticate their accounts using OAuth on their iPhone allowing them to use all the other Google apps with these credentials, like Drive, calendar etc.
  • IOS sync means you can now allow iOS phones to use Apple mail while turning off IMAP.

Do you want to discuss your own security project with us? 

Get in touch with

Mark De Winne

Google Cloud Business Developer at Devoteam G Cloud