Email Client Security Enhancement for DCU Staff Accounts

Why are POP and IMAP disabled on DCU accounts?

IMAP and POP are legacy methods used for email clients to access email accounts. However, the predominant method of infection in many recent cyber-attacks has been identified as weak email client security.

In line with best practice and to protect DCU data, ISS is now working to deprecate the usage of IMAP and POP on DCU accounts to address the following security risks;

  • IMAP and POP access of Gmail account data is not compatible with DUO MFA and exposes your account and DCU data to additional attacks and risk;
  • IMAP and POP access do not use your main DCU Active directory password and, as such, are not aligned with university policy
  • Susceptible to brute force attacks;
  • Susceptible to password spraying attacks;
  • Susceptible to password reuse attacks;
  • Can facilitate a data breach by providing a method to bulk export university data;
  • Allows data, including passwords, to be transferred from client to server unencrypted in violation of university data handling guidelines;
  • Maintains an always logged on session, which increases the security risk;
  • Widely used for spam and phishing campaigns making DCU accounts more attractive to hackers;
  • Bypasses security controls present in browsers such as view before open and McAfee web protection;
  • IMAP and POP passwords are cached within email clients, which increases the security risk.
Who will be affected?

If you use DCU email through a web browser such as Chrome or Google's Gmail app on a mobile device, nothing will change, and you can continue to access your email as usual. 

The following DCU accounts are affected;

  • Staff;
  • Contractors;
  • Guest accounts; 
  • Generic accounts;
  • Business system mail integration accounts.

The following email applications are affected and no longer work with the DCU accounts listed above;

  • Outlook;
  • Thunderbird;
  • Apple Mail Client;
  • Windows Mail Client;
  • Android Mail Client.

 


Advice on Impacted Applications

If you are using an application that accesses your DCU account with only a username and password, please take one of the following actions listed below to switch to a more secure method. If you are using an application and do not take one of the following actions, you will begin receiving an error message that your username-password combination is incorrect.

Please note that you will not lose any of your DCU emails by moving to any of the methods listed below.

 

Web Browser

Staff can login directly to DCU Apps here: Staff Login

ISS recommend using Google Chrome for accessing DCU Apps as along with being the most popular and powerful browser on the market, Chrome is custom-tuned to provide a flawless experience for Google Apps users. Chrome is available for Windows, Mac and Linux.

 

 

iOS Devices

You may have inadvertently set up your DCU email account on a mobile device such as a phone or tablet using a pre-installed mail app instead of the official Gmail app at the time of purchase. This mail app will stop working and you will need to install Google's Gmail app on your device and add your DCU account. 

 

Android Devices

You may have inadvertently set up your DCU email account on a mobile device such as a phone or tablet using a pre-installed mail app instead of the official Gmail app at the time of purchase. This mail app will stop working and you will need to install Google's Gmail app on your device and add your DCU account. 

 

 
Calendar
 
  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account. 
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to log in, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more
 
Contacts 

 

  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to log in, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to log in, switch to a method that supports OAuth.