POP email

Topic

New Reply

I’m trying to understand the practical import of the first section of Susan Bradley’s “Email for the modern world” column in the latest AskWoody newsletter (20.24.0 2023-06-12).  She notes that basic authentication has inherent security weaknesses, but says that “It’s possible to continue to use POP” – mentioning that “Thunderbird and Alpine have built-in provisions to allow it” (I’m not sure what “it” is), that “Outlook is more difficult and may require the use of a third-party tool” and that DavMail is an alternative.  The rest of Susan’s column moves onto other matters.

I’ve been using Outlook for 20+ years and have a 25GB PST file with the emails from that time.  Outlook has all the features I need and I’m reluctant to give it up without good reason.  Poor security might be a good reason, but I’m trying to figure out how bad the problem is.  Also, if I need to make changes, what are the practical steps I should be taking ?e.g., Susan mentions third party tools for Outlook, but isn’t specific.  Any recommendations of specific tools?  Or alternatives for the various pieces of Outlook (email, calendar, reminders…)?

Any thoughts would be appreciated.

Reply | Quote

Replies

When and if your Outlook program stops receiving new mails, the first thing you should do is take a full image backup of your computer to an external hard drive.  The steps forward – migrating Outlook to IMAP for example – are complicated and risky, so you will want to have a backup.

Until that time, if you do not see the benefits of IMAP as valuable, I would just wait for the failure to occur.

1 user thanked author for this post.

GaryB

Reply | Quote

What is your current mail provider? If the backend is online Exchange they are enforcing a “no basic authentication” policy.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

GaryB

Reply | Quote

Susan,

I actually have 3 email providers:  Comcast (which definitely doesn’t require anything special password-wise), a personal domain with email hosted by Zoho (which requires an app-specific password for either IMAP or POP in Outlook if one has turned on 2-factor authentication), and a Gmail account.

Should I be regarding the Comcast and Zoho emails as unsecure – and, if so, what is the easiest solution?  It doesn’t just seem to be a matter of changing from POP to IMAP – it seems something more fundamental has to be done to work around Outlook’s apparent limitation to only basic authentication.

Reply | Quote

GaryB wrote:

’ve been using Outlook for 20+ years and have a 25GB PST file with the emails from that time.  Outlook has all the features I need and I’m reluctant to give it up without good reason.

I too have been a long user of Outlook with POP3 accounts and the PST file safe on my PC’s HDDs. I have already switched my email accounts in Outlook to IMAP which sets up an OST file. I first archived all my emails from my older POP3 PST file (this allows the emails from my POP3 accounts to be accessible directly from the left pane navigation panel in Outlook). I deleted the POP3 accounts and set up a new accounts (Add Account) selecting the IMAP option (if given one). Now I am set up with my email accounts using IMAP but I still want to keep my emails on my HDDs. I then created a new Data File in Outlook to store the emails I wanted to keep from my new IMAP accounts. This new Data file will have all my folders that I save my email in and be in the PST format.

Couple tips:
With the archive of your storage folder for the POP3 displayed in the left navigation pane: expand to show the folders in that archive and right click the main storage folder, select Copy Folder. Open the new Data File and Paste the archived main storage folder. This will paste that storage folder with all the different sub folders you have created to save emails in. You can then archive this new Data file to remove all the emails and leave the folders.

I store the archived POP3 files and the current saved emails in the new Data file to another drive that holds other personal data that is backed up daily giving daily backups of all emails I save.

It really is a lot easier to do than it sounds and in the end you still get to use Outlook and its functions and still keep your emails on your PC.

HTH, Dana:))

1 user thanked author for this post.

GaryB

Reply | Quote

Thanks, Drcard.  I think I can change to IMAP from POP without a major problem but, as noted in my response to Susan, it seems that the authentication for IMAP is no different from the POP authentication, so it doesn’t seem to solve the problem.  Maybe I’m just showing my ignorance of the topic?

Reply | Quote

Unless you see the email platform throw up some sort of GUI like log in as you set up the email it’s still using old fashioned basic authentication which is the weakest link it terms of being cracked, or hash values being saved somewhere where attackers can get to it.

As you set up email on a brand new device – this is where you get informed of how secure your email is.  Unless there is some sort of web based log in that gets “popped” on your computer, you are still using basic authentication.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

You can keep POP mail and use OAuth security. It’s the authentication method that changes, not the delivery method.

Assuming you use SSL/TLS security for the connection and you haven’t got any state secrets to hide, sticking with basic authentication will be OK until your mail provider forces you to change, but if you have to change one, why not do all of them.

cheers, Paul

1 user thanked author for this post.

GaryB

Reply | Quote

Some email host (Gmail being one), are pushing OAuth but still have an alternate form of authentication.  In Gmail’s case it is called an application password (“App Password”).  This is a password that they provide on request.  Who knows how long this option will exist but it’s working now.  It truly is a shame that other email hosts haven’t provided an option to OAuth.  There are many devices out there that send notification emails that can not deal with OAuth, nor should they have to.

1 user thanked author for this post.

GaryB

Reply | Quote

Thanks, Peabody.  Yes, Gmails “app password” gets around the OAuth – but only at the cost of security, which is what Susan Bradley’s original column was about.

I very much appreciate all the responses to my original post, but no-one has explained how one might keep using Outlook while getting the security benefits of OAuth.  Susan hinted that it’s possible in her column (“more difficult” and “may require…a third-party tool”) but I’m still not sure exactly how it would be done.

Reply | Quote

These versions of Outlook support OAuth:

Outlook from Microsoft 365 (desktop version)
Outlook 2019
Outlook 2016

…

Set up Gmail with Outlook on a PC
If you’re using Outlook on a PC, follow the steps at Add a Gmail account to Outlook for Windows, on the Microsoft Office support site.

Set up Gmail with Microsoft Outlook

But:

POP3 accounts and OAuth 2.0 support

When you are using the POP3 protocol to access your Gmail in Outlook, you won’t be able to use OAuth 2.0 in either version of Outlook.

Currently, the Outlook Team has no intention to implement OAuth 2.0 support for POP3 accounts in Outlook.

Instead, you’d have to use an App Password just like you would for older versions of Outlook.

If you’d like to see OAuth 2.0 support for POP3 accounts in Outlook, you can vote for this suggestion on the official Feedback Portal for Outlook; Enable OAuth 2.0 authentication for Gmail POP mailboxes.

Reply | Quote

The security benefits of OAuth are dependent on an email host support it and your email client supporting it for that email host.  OAuth for Gmail is different from OAuth for Microsoft.  I use OAuth for my Gmail account.  I also have a Zoho and rr.com account and have not heard anything from either of them about OAuth.

Reply | Quote