There is a big difference between the POP3 protocol and SSL+POP3(which happens to be called SPOP3 when utilized in conjunction with one another) protocol suite. You will NOT be able to analyze SPOP3 traffic on a firewall unless one of two scemarios are in place:
1) The firewall is located on the receiving node.
2) You utilize a SSL proxy.
So how would one filter against an encapsulated activeX script if they could not read the payload of an encrypted SSL packet? hhmmm.
Your statements that securing POP3 is useless, are completely absurd. Every attempt to contribute another layer to a security posture is by no means at all useless. The fact that you believe that a "layered approach" is not a worthy security principle; simply shows your inability to understand the sole purpose of information security. Which is to secure data with the following two results in mind:
1) based on its "value"
2) based on the effort needed to compromise the data
Otherwise we could all just utilize resource intensive encrypted protocols all the time. Let's all generate 15,000 bit assymetric keys and then calculate our encryption utilizing gigaflops of processing power to send a 100KB email to the group. That is pretty farfetched, but so are your statements.
Not everyone here can call up their ISP and elicit them to alter their standard operating procedures to the liking of a single client. Maybe they just happen to have an administrator on hand with nothing to do at the time; and just so happens they have a free SSL certificate laying on their desk. Wouldn't that be grand.
Anybody in this mailinglist can blurt out the most obvious of security measures to secure a system in a perfect world. The 1000-pound gorilla stance on security might work in your world, but not in mine or anyone elses for that reason. Wait --- if you really wanted to be secure why are you connected to the internet? You had better go pull the plug right away!
hhmmpphh...
Furthermore, your statements that the aforementioned threats cannot be mitigated through egress filtering is completely wrong. I think you are confused here. The egress filtering is for "outbound" traffic. This has absolutely nothing to do with someone reading your POP3 traffic -- which was your reasoning for utilizing SSL correct?. When you discuss securing POP3 with SSL tunneling you are referring to ingress traffic(minus the traffic need to facilitate transport). Your statement that not utilizing outlook will mitigate a malicious script is unfounded. So you are saying that if I utilize another MUA that there are not any vulnerabilities for the selected application. Great where do we sign up for that?! Obviously this is untrue ... even to the most basic end-user. Another MUA could be compromised just as easily as outlook --- therefore it too could allow transmission of outbound traffic. That is why egress filtering is important. Remember VB; egress--out, ingress--in. We are talking about egress traffic.
Also, I don't recall the end-user stating that they happened to have an SSL "provision"(as you call it) available to them. So you would have them utilize a "provision" that they don't have? Interesting. While I am at it ... I am sending this message on a computer that I don't have as well.
You really should review your statements more carefully before posting. At a minimum, you may want to research who's comments you are referring to as being "dumb". Your outspoken and inflammatory comments may make sense to individuals with lesser experience in the realm of information security; but alot of us here make a living playing with packets --- we know what is BS and what is not.