I am working with a new partner who has provided an 'internal' messaging service using an email server. It is designed to provide secure communications between geographically widespread individuals all working under a common domain for messaging (email). I am using Thunderbird as the mail client.
The MTA is set up for sending through port 587 using SSL and using a plain text password, which I believe to be adequate as the whole session is encrypted, but incoming email is on port 143 without a tunnel, but with an encrypted password. Can someone more security literate than I please confirm whether this is as insecure in terms of message receipt as I believe it to be.
There is no external routing - all within direct connection to the MTA so I don't have to worry about the security of other MTAs, but my concern is that the user name and indeed entire message may be in plain text - and even more concerning a 'man in the middle' may be able to copy the encrypted password and use it to log in - even if they cannot decrypt it back to plain text.
Are my concerns over the top?
The data being moved this way is reasonably serious personal financial data for various third party individuals who have given permission for secure processing of their data.