8

Gmail tells me if someone new logged in to the web-interface (device, browser etc.)

But what about IMAP logins?

If someone has my password can he stealthy read my mails over IMAP?

Burgi
  • 436
  • 3
  • 14
Denis Steif
  • 81
  • 3
  • 1
    Possibly relevant: http://security.stackexchange.com/questions/25042/is-using-gmails-browser-based-client-more-secure-than-using-imap – Burgi Dec 03 '15 at 11:51

2 Answers2

1

Yes if you don't have two-factor.

No if you do.

If you enable two-factor, then the IMAPS connections require a generated app password which you can only get by logging into your Google account profile and generating online. You can't set these passwords, but you can leak them so be careful not to store them beyond what the email client requires to function.

Disabling POP and IMAP is the best mitigation. If you really need IMAP then two-factor is a good mitigation. Two-factor is good to enable either way.

Alain O'Dea
  • 1,615
  • 9
  • 13
1

It is not supported by the IMAP protocol itself, or I must have overlooked it in the RFC. So yes, they can. It can only be mitigated at the email client level if its back-end is capable of implementing security measures like controlling access to an email account based on IP/device. In the case of Gmail, Google can store these accesses and potentially inform you. However, if you would not make use of gmail but rather some local email provider, you wouldn't notice that anyone is accessing your emails over IMAP, unless that same email provider has implemented an email client (or provided an API for other developer to implement) that interacts with the information that is available to them (such as login attempts/successes).

Stef Heylen
  • 1,726
  • 1
  • 14
  • 16