I have an IMAP + SMTP server running Linux, using Dovecot + Postfix.
The server only accepts connections via TLS and uses clear text authentication once the tunnel is established.
I was checking mail logs today and I was concerned about the unknown remote IP addresses listed for some IMAP connections. After some research, I found that the identifiers correspond to Outlook for Android customers.
I am convinced that the identifiers are legitimate since:
- no unauthorized mail has been sent
- there were no unsuccessful login attempts
- the behavior has been consistent since the installation of Outlook clients for Android.
- remote IP addresses appear to be registered with Microsoft.
Remote IP addresses are in the blocks:
52.125.138.x 52.125.140.x 52.125.141.x
Journal entries look like:
pigeonhole: imap-login: Username: user =<...>, method = LOGIN, rip = 52.125.x.x, lip = x.x.x.x, mpid = x, TLS, session =<...>
I can only assume that the Outlook Mobile client is designed to use an intermediate server.
It is likely to preserve the battery life by allowing the MS server to query the actual mail server and send notifications to the phone.
However, as far as I know, this means that Microsoft must store (at least temporarily) the user identification information in plain text on their intermediary servers.
Is it possible that they can authenticate via a TLS tunnel from their own server rather than the client device without sharing the credentials?
Does this mean that the intermediary server is able to read the mail before transmitting it to the client?
Is this behavior documented or known?
Others seem to have noticed this behavior: