ned+ietf-smtp(_at_)mrochek(_dot_)com wrote:
POP-before-SMTP, OTOH, is very common, and that makes POP
authentication very relevant indeed. POP-before-SMTP also
carries with it an additional, unique set of security risks.
Do we need to document them as well?
Maybe you could say that an SMTP-after-POP MSA *MUST* enforce
submission rights (2476bis option 6.1), that should be okay.
It's still a clumsy scheme (but my old MUA loves it).
One (non-security) issue I heard of was a roaming user trying
to use POP-after-SMTP while his always-on home box periodically
checked the POP-server. So in that case one IP enabled to be
used for SMTP with a given MAIL FROM was not enough, he needed
two IPs.
Anyway, it _can_ be better than a plain AUTH LOGIN. Bye, Frank