this post was submitted on 07 Jun 2026
167 points (97.7% liked)

Technology

85208 readers
4879 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
167
Fedora Linux 43 exposes 20-year-old Microsoft Outlook security failure (nerds.xyz)
submitted 14 hours ago by nahostdeutschland@feddit.org to c/technology@lemmy.world
16 comments fedilink hide all child comments
top 16 comments
sorted by: hot top controversial new old
[–] dan@upvote.au 40 points 13 hours ago* (last edited 13 hours ago) (3 children)

Someone who's still using POP instead of IMAP4 probably hasn't updated their setup in 20 years.

This is a good reminder to use the secure ports for IMAP (993) and SMTP (465). Don't use ports that use opportunistic TLS (STARTTLS), which are 143 for IMAP and 587 for SMTP. These start unencrypted and switch to using encryption once the server says it supports it. An attacker can just modify the response and say the server doesn't support encryption, in which case the connection will remain unencrypted. https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations

You can force encryption on the client side... but then you may as well just use the port that's always encrypted.

(yes, I know that the TLS handshake isn't encrypted either)

[–] pHr34kY@lemmy.world 17 points 12 hours ago

Forcing encryption reduced my spam by about 99%. Spambots almost never have certificates.

It also prevented email being delivered from Nintendo, because they can't tie two network wires together.

[–] Tetsuo@jlai.lu 2 points 8 hours ago

In my experience, no large business would decide to only accept encrypted inbound SMTP. So as usual with SMTP you try to handle the worst clients sending you mail with nothing security wise (no DKIM, no SPF, no TLS) and still try to filter all the spam out of it and that's about it.

And I acknowledge the effort from google to push the security to get better but even then nobody wants to accept to miss a few dirty emails for the sake of security.

The stance is unfortunately to never be the one refusing emails even when they are absolutely and completely unsecured. It really sucked being an admin on that kind of systems. SMTP is one of the worst protocols I have ever seen so widely used and there is still this idea that you should accept mail even when they dont fully respect the basic security requirements Gmail has made mandatory.

Most of the time the higher ups didn't seem to care about the confidentiality of mails received.

[–] corsicanguppy@lemmy.ca 3 points 13 hours ago (2 children)

Someone who's still using POP instead of IMAP4 probably hasn't updated their setup in 20 years.

You'll understand one day that pop3s has its uses for certain situations.

[–] timewarp@lemmy.world 4 points 12 hours ago* (last edited 12 hours ago) (1 children)

Can you explain what they are? I'm curious what POP3 offers that IMAP4 doesn't.

[–] IsoKiero@sopuli.xyz 7 points 12 hours ago (1 children)

I've used that on automated systems. No need to worry about email quota and everything incoming is single-use input for other systems so there's no need to store messages on the mail server. Sure, you could do that with imap too, but pop3 clients usually don't leave messages on the server by default, so there's no need to delete them separately.

Other case might be to pull the emails from email provider servers so that provider can't use your emails later. For example if you're an journalist you might not want to have your emails stored with a 3rd party. Or maybe you're using some free tier email provider with a very limited quota, which was generally the use case for pop3 before everyone got practically unlimited quota.

On my personal account I of course use imap since I've got multiple devices but pop3 isn't quite dead yet.

[–] dan@upvote.au 2 points 12 hours ago* (last edited 12 hours ago) (1 children)

I've used that on automated systems. No need to worry about email quota and everything incoming is single-use input for other systems so there's no need to store messages on the mail server

You can do this with IMAP as well, you just need to delete and expunge the emails. Any good email client or library will have an option for this.

POP is literally just downloading all the emails, then deleting them. That's it.

You can't have a script that only downloads emails that match a search (for example emails from a particular sender), since POP doesn't support search. A basic use case is to check for bills/invoices from certain companies and import them into an accounting system, while leaving other emails untouched.

You can't receive emails in real-time and have to instead poll, since POP doesn't support real time notifications. IMAP supports IMAP IDLE.

If you have rules that filter emails into folders, you can't download them via POP, as it doesn't support folders.

For automated systems, if you don't want to store the emails, you can configure the email server to pipe the emails directly to a script. That way they're not stored at all, and your script gets them immediately rather than having to poll.

[–] IsoKiero@sopuli.xyz 3 points 11 hours ago

You can do this with IMAP as well, you just need to delete and expunge the emails

Yes, as I mentioned, but it's still extra step you need to manage. Not a big one, but extra step anyways.

For automated systems, if you don’t want to store the emails, you can configure the email server to pipe the emails directly to a script.

Which is not always an option. You could have the script running on your laptop which isn't always connected, for example.

I'm well aware of the differences. I'm just saying that there's still use cases where pop3 has it's benefits over imap and discarding it as an 'old technology' isn't always the best route. I'm running my own email server for friends and family and I still have pop3 enabled just in case someone has one of those scenarios where it makes sense to use it.

[–] dan@upvote.au 1 points 12 hours ago

I used to use POP for some situations, but the protocol is extremely limited. I don't think there's anything POP can do that IMAP can't.

[–] frischkaesbagett@feddit.org 45 points 14 hours ago (1 children)

Microsoft outlook is a 27-year-old security failure.

[–] ViscloReader@lemmy.world 2 points 5 hours ago (1 children)

Microsoft outlook is a failure.

[–] bless@lemmy.ml 3 points 5 hours ago

Microsoft is a failure

[–] ranzispa@mander.xyz 1 points 10 hours ago

You want encrypted communications? Don't you worry, just let me start netcat and you're good!

[–] Antaeus@lemmy.world 1 points 11 hours ago (1 children)

That link is geo blocked in Denmark 😔

[–] harmony@piefed.blahaj.zone 1 points 8 hours ago (1 children)

??? I can access it from Denmark though. Without a VPN.

[–] Antaeus@lemmy.world 1 points 6 hours ago

Maybe because I have Yousee?