[horde] State of security with Horde and Imp

Andrew Morgan morgan at orst.edu
Tue Apr 12 22:59:22 UTC 2016 

On Wed, 13 Apr 2016, Jens Wahnes wrote:

> On Tue, Apr 12 2016, at 17:07:14 -0400, Louis-Philippe Allard wrote:
>
>> I have a simple question regarding security with Horde and Imp. 
>> Currently, Horde is configured to use Imp as its auth backend.  Imp's
>> backends.php is configured to use my Gmail account with SSL and the
>> recommended port from Google.
>>
>> That being said, I had an incident last week that required me to have a
>> look at which devices were accessing my account, and I noticed Google is
>> classifying Horde (and imp I assume) as a "device that does not support
>> modern security standards".  Rather insulting but is it true?
>>
>> How behind is horde/imp in terms of security when compared to lets say
>> other commercial solutions?  Other question is:  will horde eventually
>> support double authentication, or is there anything else to implement to
>> reinforce the simple SSL protocol used by Imp to connect to Gmail?
>
> I don't know what exactly Google is referring to when talking about
> "modern security standards", but a solution could be as simple as using
> a newer version of TLS to connect to Google's IMAP servers.  For
> instance, if you were currently using a TLS 1.0 connection (or SSL 3.0
> even) from your server to Google's IMAP server, then using a connection
> with TLS 1.2 including Forward Secrecy (e.g. ECDHE based) would be
> considered more modern.  So that would mostly concern the configuration
> of the host running your Horde installation.  If it's a typical Linux
> box, TLS 1.2 would require at least a recent 1.0.1 version of OpenSSL
> (or such) to be used, or better still 1.0.2.  But even with these
> prerequisites, the connection may not be using TLS 1.2 right away; you
> might have to configure which protocol versions and ciphers are to be
> preferred.  In fact, it could turn out to be quite tedious to find the
> right place and the right way to make that config change.
>
> If by double authentication you mean two factor authentication, then
> that's rather difficult, at least with an IMAP authentication backend,
> because the IMAP protocol was not designed with two factor
> authentication in mind.  It might be possible to build something that
> is in essence a two factor authentication using SASL and authenticate
> via IMAP that way, but that's certainly not very easy to accomplish.

I have run into this problem with Google in the past.  Google wants to 
force people to use an OAUTH authentication method, but they are being a 
bit disingenuous by saying the client "doesn't support modern security 
standards".

A good post about this:

   https://support.mozilla.org/en-US/questions/1044903

You can "enable less secure apps" for your account to get around this, but 
that's not as nice if you are supporting a bunch of users.

 	Andy

More information about the horde mailing list