Moving away from basic auth

Topic

New Reply

I have a variety of email accounts. Some business, some personal, some purchased strictly to see how the experience of something is like, some because
[See the full post at: Moving away from basic auth]

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

GreatAndPowerfulTech, lmacri

Reply | Quote

Replies

Thanks for today’s post.  I do have a basic question.  You note losing data using PST; I assume you mean an Outlook PST file.  I’ve been using Outlook with a PST file going way back to when it was first introduced and have never lost any data at all.  I do a double redundant back up of the PST files just to be on the safe side, including a cloud back up to AWS.  I have a home office and this seems to work just fine.  I’m curious what kind of data loss you are talking about.

2 users thanked author for this post.

Tom-R, SueW

Reply | Quote

It is not the Outlook pst file that loses emails, it is the POP setup that loses emails.

POP setup downloads the emails directly to the email client (in this case Outlook).

IMAP downloads the emails to the Exchange server and your email client can view the email on the server or you can also download the email to your PC.

If something happens during a download to a POP email client the email is lost and you never receive it.  If something happens downloading an email from the Exchange server (IMAP setup), the email is still on server and not lost.

HTH, Dana:))

HTH, Dana:))

2 users thanked author for this post.

Tom-R, SueW

Reply | Quote

agoldhammer wrote:

I’ve been using Outlook with a PST file going way back to when it was first introduced and have never lost any data at all.

Me too.

Drcard:)) wrote:

It is not the Outlook pst file that loses emails, it is the POP setup that loses emails.

I have Outlook setup to leave a copy of my email on the server until I delete them from Outlook, and it does.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Tom-R

Reply | Quote

When GoDaddy tried to move me to Microsoft email system, I instead set up forwarding to Gmail addresses. I prefer Gmail as it has been very reliable, and free.

GreatAndPowerfulTech

Reply | Quote

This is a good article because it confused the heck out of me! I have used TBird and POP forever and have many old emails kept in its folders and sub folders.

I often use that if I need to check on communication with a certain company, or project.

I do not have office or exchange. (I use libreoffice). Wondering what I should do. I download emails and remove them from the server (gmail) assuming that they could be hacked/read if left on the server.

I do not trust other-peoples’-storage which is why I almost never use cloud. At present my TBird folder is about 0.6GB and is backed up with every image I take.

I thought I was in good shape, but maybe I could be in better shape? / Safer? Thanks!

Reply | Quote

First off POP relies on older authentication technology. You are now “low hanging fruit” for attackers. I’ve also seen it not work well with large email messages. Then – in my case  – I have phones, and multiple computers that can access that email. So pop pulling it down to one location – you had better ensure that you have  a backup of that hard drive and then only read email from one – and only one – location.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

a

Reply | Quote

Thanks! gmail uses SSL/TLS connection and OAuth2 for authentication for POP. I assume that would be the same if I just changed to imap.

With either one I have the choice of leaving in on the gmail server, or downloading it and deleting it from the server, So I am confused as to how imap would give me better protection.

I do generally access gmail from one location, though I can’t from my phone, probably because I delete them from the server.

So
leaving them on the server gives me better security?

changing to IMAP gives me better security?

I have googled a bit but don’t see any clear answer.
Thanks!

Reply | Quote

I am still wondering why Imap should be safer than POP.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I do not have office or exchange. (I use libreoffice). Wondering what I should do.

You can configure Tbird to use IMAP with Gmail using Gmails servers (Microsoft Exchange is a protocol used by many different servers). The link below explains how:

Thunderbird and Gmail
HTH, Dana:))

HTH, Dana:))

2 users thanked author for this post.

windbg, a

Reply | Quote

Thanks! Okay, so I went to gmail in browser and changed it to imap and turned pop off. Then I went to TBird and deleted my main logon and added it agin but this time as imap. I can then send myself a message (after jumping through all of google’s hoops) and receive it. One thing I notice is that with POP I could have it download messages into “Local Folders” where I have all my stuff stored. With account set as imap, I cannot. I don’t think that is a big deal but I now think I understand the difference between Inbox under my email name, and All Mail under gmail (which has everything) – I have been using Inbox as having just stuff I need to attend to and I think I can still have it. Not sure of correct setting for if I delete a message because I use that for both
1) clean up Inbox,
2) put stuff in Trash where I can delete it later if not needed.

Sooooooooooooooooo
I think I am all set.
Many thanks to both of you!!!

Reply | Quote

With POP you download just the Inbox of Gmail and then store your local folders.

With IMAP you synch (update) all folders of the Gmail account (storage, Spam, Trash, etc.).

Not sure the exact steps with Tbird, but you may have to create new folders to store the emails in Tbird as it may see the IMAP as a new account.  That’s what I did in Outlook.  The folder hierarchy for IMAP will be different.

If you delete an email it will go to Gmail’s Trash folder.  Delete the contents of the Trash folder to actually delete the email (In outlook this is a setting to delete upon closing, but you can manually do it).

HTH, Dana:))

HTH, Dana:))

1 user thanked author for this post.

a

Reply | Quote

Thanks. Yes, I deleted the pop account and created a new account with the gmail name in TBird, so instead of it being merged with local folders, it is separate. No problem. I copied the old Inbox to the Inbox under my gmail name so I should be good from here. Yes it does seem to require me to delete a message in 2 or 3 places to actually get rid of it(edit, nope one will do it!), but I should quickly get the hang of it. It does allow me to see everything on my phone, which is nice. Just a brief 2 day learning bit and I will be used to it. Should have changed eons ago when my sister was asking me to help her with her imap and I knew nothing about it. THANKS!!!

Reply | Quote

With imap, you *can* copy messages you want to keep into local folders.  If anything is accidentally deleted, I think this is the only way to preserve it.  Certainly it is an easy way.  Once organized, backup your Thunderbird profile the way you would any other useful data.

Reply | Quote

yes. What I have done in the past is keep Inbox simple by moving messages I want to keep into appropriate local folders, and deleting the rest. It should be the same with this.

I do not see any change in security with this change – simply a different server/my folders organization system.

Reply | Quote

At home, we have Thunderbird POP email accounts with out internet provider here in Australia – one account for my wife, one for myself, and one solely for communicating with my internet provider.

I have a free protonmail account for all my regular newsletters etc., and I guard it carefully.

I had a Gmail account for a long time, until recently – I used it where an email account was requested and I was not sure if I would be flooded with spam or not. Well it was not long before the Spam box was full on a daily basis (100+). I have now deleted my Gmail account completely. Google threatened to disable some programs on my android tablet if I deleted my Gmail account, but I went ahead and deleted it anyway.

POP accounts are ok for me as any emails I want to keep, I save them to my desktop, move them to a folder on my D drive, which is backed up to my NAS. It is crazy to leave important emails on someone else’s server “somewhere out there in the cloud” and not expect to lose them or have them hacked at some point.

 

mbhelwig

3 users thanked author for this post.

Tom-R, wavy, a

Reply | Quote

That got me thinking. I looked at All Mail and, yes all mails including medical stuff, up on the web. So I went back to POP. Nothing on the server any more other than the last few emails sitting in trash in the web version (which I periodically clear).

Well I learned a lot! Didn’t take much time.

THANKS!

Reply | Quote

bbearren wrote:

I have Outlook setup to leave a copy of my email on the server until I delete them from Outlook, and it does.

Same here.  That way I get to have a single Inbox (and set of custom folders) for all of my internet mail accounts (grouped by account), and still have exactly the same emails that remain in Outlook also remaining on the source servers.  On the infrequent occasions I want to check emails on, say, a phone, I’ll just go to the email provider’s web interface.

But there *are* a few things I have to be careful with using POP3 with the “Remove from server when deleted from ‘Deleted items'” approach.  One is the occasional issue where Outlook re-downloads *all* emails remaining in the server’s Inbox for a given account.  While there are easy ways to group and remove the duplicates,  if I don’t take precautions first I can end up inadvertently deleting *everything* from the server (though the deleted emails will remain retrievable on the server’s Trash folder for awhile) .  Also, if a send/receive bombs immediately after some deletions from Outlook, those deletions *won’t* get reflected on the server, even after subsequent send/receives.

On a related note, one reason I won’t use Gmail as a primary account is because it has always refused to honor Outlook’s “Remove from server when deleted from ‘Deleted items'” option.  Instead it’s a global delete-everything or keep-everything choice.  (At least that’s how it used to be and, I presume, still is.)

Reply | Quote

If you use Gmail (and other large Email providers) with POP3 and even have it set to not leave emails on server, they are not deleted and remain in Gmail servers unless you select the setting to delete Gmail’s copy (a separate setting in Gmail settings which many users are unaware of).

In IMAP you can have two sets of folders- the set in the IMAP setup kept on the email server which is accessible by your other devices like your smart phone and the set you create on your PC in Outlook/Tbird/etc. which are accessible only on that PC. You can view an email on your devices. On you phone, view the email and leave in the Inbox (which is the IMAP Inbox). When you view the email on your PC, either move the email to your folders you created or delete the email. Either way the email is no longer in the IMAP Inbox and the email is deleted from the server.

So in reality IMAP with delete or move to private folders is the default method to remove the emails from the server while POP3 requires additional settings to remove the emails from web storage.

Your can use both IMAP and POP3 of different devices accessing the same email account. You can have POP3 setup on your PC and set IMAP on your phones and tablets. Just remember that once you download and delete the email from the serer with POP3, the email will not be available to the other devices. Also emails sent by the IMAP will not be in the sent folder of the POP3 PC.

As far as security…they are about the same – both can use encryption, advanced authorization, not leave emails on the server, and same anti-malware scanning by the email provider. One security advantage for IMAP is you download just the header until you open the email so you can delete a suspected email without downloading the entire email with malware payload (which is what POP3 does).

Which? IMAP for multiple device use on the same email account. POP3 for a single device used to access emails. IMO, Security is about the same.

HTH, Dana:))

HTH, Dana:))

1 user thanked author for this post.

windbg

Reply | Quote

If you use Gmail (and other large Email providers) with POP3 and even have it set to not leave emails on server, they are not deleted and remain in Gmail servers unless you select the setting to delete Gmail’s copy (a separate setting in Gmail settings which many users are unaware of).

That is in (on browser) gmail settings / Forwarding and POP/IMAP and is set correctly in mine. That is probably because I use Thunderbird and in Account settings / Server settings, I have “leave messages on server” UNchecked.

Reply | Quote

Comcast Mail’s current POP settings dialog is simple but strange.  There are two choices, “Keep” and “Delete.”  But “Delete” actually means “allow your application to tell the server what to do.”  Here’s Comcast’s full POP settings dialog:

——–

When using POP to access your Comcast email from third-party applications, you can choose what happens to messages once retrieved from the mail server. By default, we will leave the message in your Inbox. Changing this setting will allow your application to tell the server what to do.

• Keep

• Delete

——-

When they intially switched to their current system it made me a tad nervous selecting “Delete” when I definitely didn’t want emails deleted from the server as soon as Outlook retrieved them.  But it turned out that choosing “Delete” does indeed follow my Outlook setting (“Remove from server when deleted from ‘Deleted Items'”).

Reply | Quote

In the topic article :  “attackers can perform brute force techniques more easily on email that only uses basic authentication.”
Exactly what, where, gets attacked?

Reply | Quote

Hackers on the internet connect to the email server and attempt to login as you.
If you use a poor password they may be able to guess it.

Use a long and complex password or 2FA will prevent this happening.

cheers, Paul

Reply | Quote

Paul T wrote:

connect to the email server and attempt to login

As I thought.
A concern perhaps for private email servers that are insecure.  Commercial servers allow few attempts during same connection, and few reconnections in quick succession.

Reply | Quote

Microsoft : Basic Authentication Deprecation in Exchange Online – May 2022 Update

In about 150 days from today, we’re going to start to turn off Basic Auth for specific protocols in Exchange Online for those customers still using it.

Since we announced the October 1, 2022 deadline last year we’ve seen great progress from customers and partners as they move their clients and apps from basic to Modern Authentication. Since there are a lot of customers still using Basic Auth, we wanted to re-state the scope and implications of this change, and to answer some of the common questions we get.

As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing.

We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack…

1 user thanked author for this post.

lmacri

Reply | Quote