Unencrypted IMAP Connection Is A Bad Idea – Here’s Why

There is an important reason you should never use unencrypted IMAP connections.

By Den in Security

August 25, 2011

There are plenty of people out there who are using IMAP-based accounts in various mail clients. Some of them are configured not to use an encrypted connection, and that is a serious problem. Not yet convinced? Take a look at this.

Image lost since transition to new blog.

Obviously, parts of IP addresses and login data are removed. But you get the idea – without encryption, the data is transmitted in plain text through the IMAP protocol. Make sure you switch to a SSL connection, if it is supported by the server.

Image lost since transition to new blog.

This does not eliminate a set of other security problems, but it mitigates one of them. Remember:

IMAP4rev1 protocol transactions, including electronic mail data, are sent in the clear over the network unless protection from snooping is negotiated. This can be accomplished either by the use of STARTTLS, negotiated privacy protection in the AUTHENTICATE command, or some other protection mechanism.


Want to get more notes like the above? Subscribe to The Den!

A monthly newsletter about product management, engineering, and tinkering with code.


Have any thoughts? Let me know over email by sending a note to hi followed by the domain of this website.