Wm. Cerniuk wrote:
I am hunting for a white paper or otherwise that compares and contrasts the security of both IMAP and MAPI.
Authentication methods:
MAPI: LANMAN, NTLM, Kerberos.
IMAP: plaintext password, NTLM, MD5, GSSAPI (offers multiple methods, most commonly Kerberos), PKI.
Notes on authentication:
LANMAN is easily broken but should be disabled on systems run by people with a clue.
NTLM hashes are dangerous to use on the Internet given the new(ish) pass-the-hash attacks, and shouldn't be allowed for remote access to mail.
Kerberos requires connectivity to a KDC (a.k.a. AD DC), also typically not allowed for remote access users because of the sensitivity of the Kerberos key database.
MD5 is a password hash technique, and may be vulnerable to rainbow table attacks.
PKI provides mutual authentication between client and server, provides confidentiality, but requires specific support in the IMAP server. Not all IMAP servers support it. MAPI does not support PKI authentication.
Confidentiality methods:
MAPI: IPSec or SSL (only with RPC/HTTPS)
IMAP: IPSec or SSL.
Notes on confidentiality:
IPsec is a real beast, and generally overkill when protecting only a single protocol. If this is your option, better to provide full VPN connectivity instead. IPSec protection for both MAPI and IMAP cannot be leveraged for authentication to the mail service; i.e., if you have to authenticate for IPsec, you have to authenticate for MAPI/IMAP separately.
SSL for MAPI is only available using RPC/HTTPS as the MAPI transport. This is supported by MS, but does *not* support mutual authentication at the SSL layer. MAPI will still authenticate using LANMAN or NTLM in this case, using SSL only for confidentiality. These users will be generally restricted to using cached credentials as they will not have a KDC available.
IMAP/SSL (a.k.a. IMAPS) is built into most IMAP servers. IMAP with SSL can be used for mutual authentication, if the user has a certificate. This can be leveraged by the IMAP service--if the server supports it--to authenticate the user to his mailbox all in one go. Otherwise, IMAP will operate much like MAPI, using SSL for confidentiality only and transporting another, weaker, authentication inside that channel.
The practical upshot:
It depends on the use case. If you're talking about remote access to email (i.e., crossing the enclave boundary), IMAP is better IMHO. Support for confidentiality and strong authentication for remote users is much better and simpler to deploy. However, IMAP doesn't do calendaring with Exchange; only MAPI can do this. But that forces you into a weaker authentication model.
To put this into DoD context (this is fed-talk, right? :)--MAPI over RPC/HTTPS is strictly forbidden by JTF-GNO because it cannot comply with the PKI authentication requirements of CTOs 06-02 and 07-15.
-- Tim