Here is a prediction: in the next few years traditional POP+SMTP email setup will become virtually extinct. I’m basing this on several factors. For one, no one actually remembers what these things are anymore. My students think that POP is what southerners call carbonated drinks (it’s soda here btw) and that SMTP is a made up acronym that I coined on the spot just to have more buzzwords to test them on. But that’s just one of the factors.
Factor number two, possibly the more important one is that providing users with a SMTP access is becoming less and less practical with every day. Port 25 is pretty much universally blocked across the board. Almost no company or public institution leaves it open these days. Many ISP’s do the same thing for their residential clients, insisting that they use their designated SMTP server or nothing at all. Of course if you go to the trouble of blocking outbound traffic on 25 you might as well also block 587 (which is designated as the official authenticated SMTP port and is the second most common port used for the protocol). Most corporate firewalls are usually set up to block all outbound traffic except port 80 and 22 (and sometimes 110 for email). The idea is that clever people will be able to get around the restrictions with SSH tunneling while the sheep can suffer in the name of combating spam and internet worms. Which, btw is something that I generally approve. I’m all for locking down firewalls, and protecting lusers from their own stupidity by not letting them do anything.
I’m merely making an observation here. Every day our society becomes more mobile with proliferation of wifi networks, 3G and other wire free technologies. Laptop sales are skyrocketing, and overshadowing desktop sales. Most of my students never actually owned a desktop. Most of my co-workers do not have desktop computers at their homes. Casual users buy laptops. Desktops are now primarily built for the business sector and high end gaming crowd. But while people are getting more mobile, the SMTP gets less useful. Let me illustrate this by example.
Let’s say a big company hires a promising young man named Bob. Bob is issued a company laptop since he will be expected to sometimes work from home. Since Bob is an idiot as far as the IT department is concerned his email was set up for himwith company’s POP and SMTP information ahead of time and he was trained to use it. As expected his email works perfectly when he is sitting in his cubicle, however when he takes the laptop home trying to finish an important project a disaster strikes. He can receive email but he cannot send because his ISP is blocking Port 25. So he spends 4 hours on the phone with his IT department trying to explain to them that his “Microsoft is giving him an error when he tries to send an email”. Then he spends another 4 hours on the phone with his ISP trying to configure his Outlook to use their SMTP server.
Finally he is able to send his super important email at 4am in the morning, catches 2 hours of sleep and he is back in his cubicle at 8am only to realize his email is not working again. It turns out his ISP’s SMTP server doesn’t relay emails from outside of their network. And even if it did, his company is blocking Port 25 anyway allowing only their own SMTP server to send emails out. The IT folks play rock-paper-scissors to see who gets to deal with Bob-the-Retard this time. The loser, makes a cheat sheet for Bob with each step explained in minutiae detail and accompanied by screen shots and then staples it to Bob’s head so that he doesn’t misplace or eat it.
Of course this story repeats itself whenever Bob visits a new place. Soon enough he has a cheat sheet for work, his apartment, his girlfriends house, his favorite coffee shop, the local park, the hotel he stayed at, a conference hall in Boston, and etc… Each time Bob moves his laptop from one location to another, he is required to first find out what SMTP server he can use there and then reconfigure his Outlook.
A lot of companies and institutions which employ many Bob’s get quickly fed up with this sort of thing. So what do they do? They migrate to webmail solutions. Exchange for example has a rich webmail client which looks almost exactly like Outlook and can be used by Bob’s when they work outside of the office. Other, more courageous folks make a leap of faith and migrate their email and calendaring to Google Apps or Zimbra.
ISP’s on the other hand don’t even tell their customers about their POP+SMTP offerings. They provide them with a webmail client instead. Those determined enough can find POP (or IMAP) and SMTP info buried deep in their online help documents.
Public SMTP’s will eventually get phased out and locked behind firewalls. ISP’s no longer promote them as it is. How many users will complain if they simply hide the SMTP server from them and request that they use webmail instead? Right now they may alienate a sizable chunk of their customer base but the majority won’t even notice. In 5 years the only people who will complain will be bunch of us geeks. And no one ever listens to us. We are almost never the target demographic for anything – we are the outliers which skew up the statistical analysis.
theoreticaly you are right…
but there is a big bunch of folks who just want to get theyer email from freemailservice A to freemailservice B, so they can read everything in one place.
These people mostly dont even know that they are using pop, but they do…
Yup. The technology will still be in use. But I predict that in few years only sysadmins and geeks will know about POP and SMTP. I can envision a scenario when you call up your ISP’s help line asking for POP+SMTP details and no one at the call center knows what the hell you are talking about because that info is not in their documentation. So your call gets escalated, then escalated again until you actually get some top tier tech who will tell you something among the lines of:
“Yeah, we are not making that accessible to the public anymore due to spam – the server is locked down behind a firewall and won’t accept connections from anything but the webmail server. You’ll just need to use the Webmail service or find another email provider.”
My ISP’s SMTP server is very very insecure. mail.bellsouth.net. See what you can do.
@Jake – well, I’m not going to poke around an ISP’s mail server but a cursory port scan shows that only 1 port is open on that machine (110) and nmap couldn’t even make out what OS was running there.
I can naturally telnet to that port and run basic POP commands but that’s normal behavior for any POP server.
Why do you think it is not secure?
I agree that in our increasingly mobile and WiFi-enabled world it’s often very difficult to know whether you will be able to send (or reply to) your email whether you’ve taken your laptop home or have it with you in the airport lounge. With apologies in advance for the commercial, I am working with a company that solves Bob’s problem sending work email from home. Loa PowerTools also works for a lot of other mobility problems, but I don’t want to abuse this post any more than I already have.
Ken, how does Loa works if you don’t mind me asking? I just wanted a general idea, cause the website doesn’t really say how is this achieved. Do you tunel the mail trafic somehow?
Would loa work in an environment where every single outbound port including 80 is blocked and users must use heavily filtered proxy to browse the web. So you can’t establish a vpn or ssh tunel of any kind. These sort of environments are increasingly common in corporate settings.
Loa is designed to work in any setting where you might otherwise have to use Webmail; i.e. any environment where you can run a browser. If you’re locked down more tightly than that, you’ll have problems. We haven’t encountered any situations where a “heavily filtered proxy” presents a problem. Not to say that such an environment doesn’t exist, but we haven’t found it yet.
Thanks for asking.
I can see clearly that you’re working in a university department and not in the industrial sector. no offence meant ;)
Any decent company with reasonable IT staff would never allow employees to work at home and sending confidential stuff over some ISP’s public servers, independent of the protocol used.
You would require a VPN client which connects to your company’s outbound firewall, tunneling all important data under SSL protection, with the great advantage, that you have access to all of your company’s resources, like network drives, YP, blogs, wikis, internal servers etc.
With a VPN client you are independent of the location, all you require is correct IP routing.
I would bite off every IT architect’s head who suggested to me exposing a Lotus Notes system to the internet ;)
I can work at home for my company, and my AT&T VPN client can even connect via http proxy to use persistent HTTP CONNECT method (I have a linux server with squid for this).
@ths – yes, and no. I also work for a small company where we have 4 people sitting in an office and 60+ people doing audits in the field. They go into a company to detect fraud, and they cannot always count on kindness of local IT staff, or even any kindness at all. A lot of times they don’t even get internet access while in the field and when they do, it is often locked down very tightly.
We’d love to have all of them connecting via VPN but a lot of time it just doesn’t work that way. And there is also the fact that half of our employees are merely contractors and the powers that be don’t want them to use company equipment, or resources They don’t get a company laptop – they use their own, and the only thing we provide them is an email account. We were explicitly told not to give them VPN access.
Corporate world works one way. The world of tiny companies is a whole other mess. :P
There’s one more thing that adds to your scenario. When I send mails from home using the university e-mail I am forced to use my ISP smtp server, as you describe in Bob’s oddissey (thunderbird+smtpswitch help a lot!). But as those mails are sent as “user@thisuniversity.edu”, but do not come from the university smtp server there’s a chance that it is considered as spam. And this chance gets to almost certainty if the mail is addressed to other user at the university… and I can’t really complain, I probably would’ve set the mail server to drop those mails too (“mmm… again, you say this e-mail comes from where?”).
when your contractors are explicitly not allowed VPN connection to secure the communication, this is quite poor, especially if you’re in the auditing and fraud detecting business where confidentiality is mandatory. again, no personal offence meant.
there are other means of securing internal confidential data against contractors instead of not allowing them in.
just as a sidenote, although imho it’s overpowered for this scenario: have a look at IBM’s Tivoli access manager for e-business (or the whole “access manager” suite of products). This is great stuff.
@ths – well, I presume that main reason is money. If we want give VPN access to more users we need to buy more more CAL’s from Microsoft cause they are total windows whores here. Some people do use VPN, but not all.
Although now that you say that, I guess we could probably just throw in a linux box into the mix to do VPN for mere mortals (and perhaps firewall it from the parts of the network I don’t want people poking into). That’s something to look into.
Security was never a big priority here until recently. Or rather it is not a big priority now, but at least it got added to the very bottom of our priority list so it’s an improvement. We do make people submit confidential files via SSL encrypted site, and they do use WinZip’s AES 128 bit encryption on email attachments. We also have plans to deploy PGP at some point but at $200 per user it is a hard pill to swallow for the mgmt and I’ve been toying with GPG+Outlook recently to see if I can make it not suck.
Yes, the real world of corporate IT policy, IT use and working reality is far richer and more complex than it appears from outside. And it’s often more complex than it appears from the point of view of the IT policy makers on the inside. IT may make policies regarding how data are protected and how email is sent, etc., but employees, especially field employees, have to get their jobs done. It’s not uncommon to look at the VPN logs to find that the only time a field employee used it was when he or she was being given the training on how to use it. Out in the field, they have to find other ways to do their jobs.
One of Loa’s customers put it to me this way recently (I’ve edited a bit to protect his identity)
That’s just one example of what I mean by the rich and complex reality that people face in their working lives. It means that unless the IT policy is built on the right tools, important email that has to go to customers now when the sales person is in the airport lounge is sent via an airport WIFI connection in clear text and originates from bigdaddy69@hotmail.com, or stored on a Google server somewhere being mined by Google’s software, all because the VPN didn’t work from behind that particular firewall. When confronted with this breach of IT policy, the sales department’s (correct) response is “Did we want the order or not? And if the answer is that we didn’t want the order, are you going to pay my missed commission?”) Meanwwhile, the CIO and the CEO are signing off statements to regulators warranting that the company’s intellectual property was appropriately protected at all tiimes during the preceding quarter.
I’ve surprised no one has mentioned this at all…but what about organizations using Microsoft Exchange? You mentioned the OWA (Outlook Web Access) but not the Outlook over HTTP/S or Outlook Anywhere (as it’s called in Exch. ’07). My computer uses this and it works amazing, no VPNs needed. My office computer, my home computer, my traveling laptop, and my WM based phone are all sync’d up together. Granted this may not be AS secure as a VPN, but it works through the HTTPS protocol, so you don’t have issues with ports being blocked and you have a secure connection as well. It’s essentially using Outlook Web Access through Outlook (if that makes sense). This solution is used by many companies that I work for.
@Zack – that’s what I believe will happen for a lot of small companies. They will reluctantly switch to exchange to avoid the hassle. And yeah you are right – exhcange will work in a lot of places where regular SMTP wouldn’t. But it too can be firewalled. Gain, I had employees in places where ALL outbound ports were closed and the only way to brows the web was to use the company’s HTTP proxy server.
Unfortunately excel is not always the best solution. Let’s face it – POP+SMTP is essentially free + maintenance cost of the linux boxen that run these services.
Exchange is maintenance + licensing fees + the windows tax. No matter how you cut it, it is more expensive. And it is yet another chain Microsoft can yank whenever they want more money.
I’ve seen some people switch to Zimbra. In fact I know a guy who works at a company that used to offer cheap POP+SMTP and Exchange hosting to small business sector. They are discontinuing the plain POP+SMTP service and replacing it with Zimbra.
I remember the big phase when Google began supporting it.
And people were all skeptical about whether or not they could do it.
I guess I am part of the happy few who don’t have that kind of problem at all. Everything we do at work is accessible through HTTPS and our company e-mail are sent via IMAP server. For me, it is irrelevant to whether I am at home or at the office…
uhh..
hmm..
have you ever considered 3rd world countries?
@Allan: What do you mean? I figured they would be in the same boat. Bigger ISP’s would offer webmail solutions (eg. Squirelmail). Small and local ISP’s would probably do things the old fashioned way.
I’m not saying POP and SMTP will go away completely. I’m just saying that major ISP’s might phase them out completely and replace them with webmail, and most users won’t even notice. Small ISP’s are a different matter.
I still cannot understand why people are allowed to break security policies and come away with it. If the VPN is slow then IT department has an issue to fix it, but accepting the employees to willingly circumvent rules that are there for a reason is not a negotiable solution.
It’s so strange that people consider rules subject to their personal discretion.
And as for the airport WIFI: if it’s not WPA2 I wouldn’t even be able to connect with my company laptop to it, since it’s locked down to only allow WPA2.
@ths: I agree with what you say, and I applaud your IT department for doing the WPA2 thing.
Oh, and it’s not like we have people refusing to use VPN. It’s just that there is no explicit policy that forces VPN use. If there is a policy, we can enforce it. If there is no policy, we can write it up and suggest it and then the powers that be can either approve it or shelve it pending on how much is it going to cost in implementation, how much training will be required and etc..
More often than not security related stuff gets shelved “for later”. So in other words apathy towards security from up top results in a sense of apathy towards security reforms from IT and general state of complacence.
More often than not security related stuff gets shelved “for later”