[Top] [All Lists]

SASL vs. IP relay authorization

2004-11-19 10:01:40

On Thu, 18 Nov 2004 Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:

and the server requires AUTH based on source IP, and the client was a
migratory machine...

There are a number of problems with selectively advertising SMTP AUTH,
which I'll list below. It is much better to advertise AUTH to all client
IP addresses. If your SMTP server is acting in several roles (message
submission server, mail exchanger, smarthost) it's probably better to only
advertise AUTH on ports 587 and 465; in any case it's better for mobile
users to avoid port 25 for message submission because of anti-spam blocks
and interceptions on that port.

(1) It is common for ISPs to intercept port 25. If you are providing your
submission service on port 25 then MUA software will not be able to tell
the difference between being on the home network and being on a network
with a port 25 intercept, and will happily send the message without

This combines badly with various anti-spam technologies: for example the
UK Freeserve intercepting email servers are in the MAPS DUL, so a message
from one of my misconfigured users at home would be rejected by my servers
and then the bounce (generated by the intercepting MTA) would also be
rejected, and the message would be silently lost. Similar problems would
result from SPF checks.

(2) In order to avoid man-in-the-middle attacks (of which problem 1 is an
accepted variant) it is better for the user to configure their software to
require AUTH. However if they do that they have to reconfigure whenever
they move between their home network and elsewhere. This is a pain and no
better than the situation without SMTP AUTH when the user would have to
reconfigure to use the local network's smarthost. It's easier to encourage
users to turn on secure authentication if it actually benefits them.

(3) You can combine techniques like BATV with SMTP AUTH to encode a
proof-of-authentication in the message's return path address. This can
extend the secure traceability of email further than a small set of
trusted MTA hosts, and it can make message forgery substantially more
difficult. (This is in addition to the basic BATV benefit of detecting
backscatter from forged spam.) Of course you can only do this if your
users routinely use authenticated message submission.

f.a.n.finch  <dot(_at_)dotat(_dot_)at>