[horde] State of security with Horde and Imp
morgan at orst.edu
Tue Apr 12 22:59:22 UTC 2016
On Wed, 13 Apr 2016, Jens Wahnes wrote:
> On Tue, Apr 12 2016, at 17:07:14 -0400, Louis-Philippe Allard wrote:
>> I have a simple question regarding security with Horde and Imp.
>> Currently, Horde is configured to use Imp as its auth backend. Imp's
>> backends.php is configured to use my Gmail account with SSL and the
>> recommended port from Google.
>> That being said, I had an incident last week that required me to have a
>> look at which devices were accessing my account, and I noticed Google is
>> classifying Horde (and imp I assume) as a "device that does not support
>> modern security standards". Rather insulting but is it true?
>> How behind is horde/imp in terms of security when compared to lets say
>> other commercial solutions? Other question is: will horde eventually
>> support double authentication, or is there anything else to implement to
>> reinforce the simple SSL protocol used by Imp to connect to Gmail?
> I don't know what exactly Google is referring to when talking about
> "modern security standards", but a solution could be as simple as using
> a newer version of TLS to connect to Google's IMAP servers. For
> instance, if you were currently using a TLS 1.0 connection (or SSL 3.0
> even) from your server to Google's IMAP server, then using a connection
> with TLS 1.2 including Forward Secrecy (e.g. ECDHE based) would be
> considered more modern. So that would mostly concern the configuration
> of the host running your Horde installation. If it's a typical Linux
> box, TLS 1.2 would require at least a recent 1.0.1 version of OpenSSL
> (or such) to be used, or better still 1.0.2. But even with these
> prerequisites, the connection may not be using TLS 1.2 right away; you
> might have to configure which protocol versions and ciphers are to be
> preferred. In fact, it could turn out to be quite tedious to find the
> right place and the right way to make that config change.
> If by double authentication you mean two factor authentication, then
> that's rather difficult, at least with an IMAP authentication backend,
> because the IMAP protocol was not designed with two factor
> authentication in mind. It might be possible to build something that
> is in essence a two factor authentication using SASL and authenticate
> via IMAP that way, but that's certainly not very easy to accomplish.
I have run into this problem with Google in the past. Google wants to
force people to use an OAUTH authentication method, but they are being a
bit disingenuous by saying the client "doesn't support modern security
A good post about this:
You can "enable less secure apps" for your account to get around this, but
that's not as nice if you are supporting a bunch of users.
More information about the horde