16.7. Internet Message Access Protocol (IMAP)

IMAP,[65] like POP, is a protocol used by mail user agents to retrieve mail, for a specific user from a server. IMAP is a more recent protocol providing more flexibility, including support for multiple mailboxes for each user. POP is commonly used to transfer all messages in a single mailbox to the client from the server; IMAP is designed to store messages on the server, allowing them to be copied and manipulated by the client. IMAP is a much more capable protocol than POP and correspondingly is harder to implement securely.

[65]This acronym is sometimes also expanded to "Interim Mail Access Protocol".

Otherwise, the security implications of IMAP are much like the security implications of POP. IMAP does allow for nonreusable passwords, but not all IMAP servers and clients support them. Similarly, an Internet standard is evolving that will allow IMAP to use TLS to support the encryption of messages as they pass between the server and client, but currently few servers and clients support this option. There is also an assigned port for IMAP over SSL, which is supported by a slightly larger number of clients and servers. Unless you control the IMAP servers and have configured them to require nonreusable passwords and data encryption, or you are restricting connections to IMAP over SSL, you should assume that IMAP is passing reusable passwords and unencrypted data.

16.7.2. Proxying Characteristics of IMAP

IMAP is a straightforward protocol to proxy, since it uses a single TCP connection. There do not appear to be any IMAP-specific proxies available at this time, but generic proxies will work with IMAP (without providing any strong security guarantees).

16.7.3. Network Address Translation Characteristics of IMAP

IMAP does not use embedded IP addresses and will work with network address translation without problems.

---