I run a Linux based mail server and use Dovecot to provide IMAP over TLS access. This server has been up and running for a bit more than 8 years now and it serves my email address along with those of my clients.
As this is one of my business activities, and one that is very important to all my clients that want a reliable and secure email service, I am very attentive and concerned with security and privacy issues.
I have no issues with my configuration whatsoever, it has been running very smoothly for so long and I am very happy with it. The only incidents I had where small, occasional and usually related to connectivity issues or a config update done too hastily.
Packages and distro versions are not the latest but they are stable and updated with the latest security fixes.
So, my point finally, I have been noticing for a while now that if I use a client like Outlook for mobile, I see connections from unknown IP addresses.
Those IP addresses are not even in the country I am phisically and have nothing to do with the network (or networks) I am connected with my devices.
doveadm who gives me this information and the logs tell me also that those connections stay up basically always:
Jan 16 21:13:46 imap-login: Info: Login: user=<REDACTED EMAIL>, method=LOGIN, rip=52.125.138.151, lip=X.X.X.X, mpid=8175, TLS, session=
This is related to my email account on my server, the lip is of course my server's IP.
I am also seeing another ip address connected to my account and that corresponds to my internet connection (or whatever network I am connected to).
So the question is: is it safe? is it just a proxy (but I use TLS..) or when I setup my account with outlook my password got stored on Microsoft servers?
I had exactly the same issue with another application (I think it was Spark for MAC and IOS) and I had to go through a lengthy process to delete my information from their service, I had to contact their support and finally changed my password. Why? because I was seeing their IP addresses connected to my server and my IMAP account months after I deleted their app from all my devices.
I am wondering if anybody else noticed this behavior and if I am too concerned about it.
I understand those application want to add features to "email" that would be impossible to have otherwise, but I see it as a security issue.
Best Answer
We've seen the same type of connections from users of the Outlook Mobile App. I can't see how this would be compliant if you are in an environment that requires you to control the flow of data.
If you are just concerned about the security of Azure servers I would venture a guess that they are technically secure since it's MS but I don't see a way to actually validate the security.
Discovered Outlook Mobile App uses a stateless protocol translator component that is built and run in Azure.
Discovered Office 365 users complaining that the Outlook Mobile App doesn't abide by protocol policies. In other words, even if you disable protocols for a user the app is still able to connect.
Others have stated that even though a protocol was disabled server side the App was still able to connect to the account and that the connection wouldn't terminate until initiating a remote wipe or manually removing the program from the device.
Found an Article from MS illustrating the connection and they note that data is cached on an Azure server for 3-7 days after terminating an account.
https://practical365.com/clients/mobile-devices/outlook-for-ios-android-still-able-to-connect-after-disabling-activesync/
https://docs.microsoft.com/en-us/exchange/clients/outlook-for-ios-and-android/use-basic-auth?view=exchserver-2019