[Top] [All Lists]

Re: [Asrg] 6. Proposals: MTA MARK vs port 25 filtering?

2003-12-15 20:21:40
Hector Santos wrote:
My only input with this would be to be aware that ESMTP AUTH is typically
also used to open routing access in addressing the dynamic IP roaming user.
It also enforces a non-null address, and in our case, optionally enforces or
restricts the return path domain provided.

In other words, ESMTP AUTH trumps all.   LMAP or no LMAP,  it opens routing
to users.

Yes, except that AUTH does nothing on the public internet if spammers can originate messages from someone without authenticating as that someone. These are complementary. LMAP makes it so that mail from a given address can only come from a limited set of servers, and AUTH lets those servers ensure that the address on mail they're transmitting is not forged. AUTH is only useful within an organization, not across the public internet. You can't expect to connect to one of AOL's MX servers, AUTH as somebody (how would you if you're not an AOL subscriber?), and have that server accept your mail. Note that a roaming user connecting to the home server is 'within an organization'.

Note, there are 3 basic ways email (smtp/pop3) server vendors open access to

1)  The traditional IP relay tables

The latter often used by ISP to reduce the user support issues created by
the first two.  The first doesn't help the roaming user problem and the
second require ESMTP ready end-user software and additional ISP setup
instructions for the user.

Every major MUA has supported AUTH for a long time, AFAIK. Outlook, Outlook Express, Netscape (in all variants since at least 4), Eudora, etc. The real cost is user implementation. It imposes a massive support cost on any organization that does not control the machines used to send mail, such as most commercial ISPs. Note, however, that this does not affect AOL, because users must login before they can originate email. They have a semantically more sensible equivalent to POP-before-SMTP.

However, POP3 BEFORE SMTP is based on the premise that most end-user mail
software POP3 into a system before SENDING any mail.   For example, you will
see this option in Outlook as

            (*)  Pick up mail first before sending mail

or something like that as alternative option to ( ) Server requires login to
send mail.

POP-before-SMTP was an ugly hack to make up for shortcomings in existing software. Unfortunately, it stuck. It's clearly obsoleted by SMTP AUTH, but there's no compelling reason for users to switch, and thus ISPs have to deal with the inertia of their users. I think we're going to have to live with it for a long time. However, that does not change the fact that LMAP and user authentication target 2 complentary but separate problems: domain forgery, which prevents holding anyone accountable, and user forgery, which is a nuisance best dealt with by the organization that hosts the user's address, since they are uniquely able to authenticate the user.

Philip Miller

Asrg mailing list