Hector Santos wrote:
My only input with this would be to be aware that ESMTP AUTH is typically
also used to open routing access in addressing the dynamic IP roaming user.
It also enforces a non-null address, and in our case, optionally enforces or
restricts the return path domain provided.
In other words, ESMTP AUTH trumps all. LMAP or no LMAP, it opens routing
to users.
Yes, except that AUTH does nothing on the public internet if spammers can
originate messages from someone without authenticating as that someone.
These are complementary. LMAP makes it so that mail from a given address can
only come from a limited set of servers, and AUTH lets those servers ensure
that the address on mail they're transmitting is not forged.
AUTH is only useful within an organization, not across the public internet.
You can't expect to connect to one of AOL's MX servers, AUTH as somebody
(how would you if you're not an AOL subscriber?), and have that server
accept your mail. Note that a roaming user connecting to the home server is
'within an organization'.
Note, there are 3 basic ways email (smtp/pop3) server vendors open access to
relaying/routing:
1) The traditional IP relay tables
2) ESMTP AUTH
3) POP3 BEFORE SMTP
The latter often used by ISP to reduce the user support issues created by
the first two. The first doesn't help the roaming user problem and the
second require ESMTP ready end-user software and additional ISP setup
instructions for the user.
Every major MUA has supported AUTH for a long time, AFAIK. Outlook, Outlook
Express, Netscape (in all variants since at least 4), Eudora, etc. The real
cost is user implementation. It imposes a massive support cost on any
organization that does not control the machines used to send mail, such as
most commercial ISPs. Note, however, that this does not affect AOL, because
users must login before they can originate email. They have a semantically
more sensible equivalent to POP-before-SMTP.
However, POP3 BEFORE SMTP is based on the premise that most end-user mail
software POP3 into a system before SENDING any mail. For example, you will
see this option in Outlook as
(*) Pick up mail first before sending mail
or something like that as alternative option to ( ) Server requires login to
send mail.
POP-before-SMTP was an ugly hack to make up for shortcomings in existing
software. Unfortunately, it stuck. It's clearly obsoleted by SMTP AUTH, but
there's no compelling reason for users to switch, and thus ISPs have to deal
with the inertia of their users. I think we're going to have to live with it
for a long time.
However, that does not change the fact that LMAP and user authentication
target 2 complentary but separate problems: domain forgery, which prevents
holding anyone accountable, and user forgery, which is a nuisance best dealt
with by the organization that hosts the user's address, since they are
uniquely able to authenticate the user.
Philip Miller
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg