[Top] [All Lists]

SMTP Kerberos support

2011-11-02 16:16:47

Douglas Otis wrote:

Agreed, crypto offers recognition of previous encounters. A desire to make exchanges that traverse LSNs is clearly where something like Kerberos tickets can play a suitable role in offering a low overhead process. Kerberos can also offer a lower frequency rate where it remains practical to identify all domains prior to issuing tickets. Reputations MUST BE based on AUTHENTICATED identities.

I am not sure Kerberos is suitable as you may think for public port SMTP market. I can see it works well when employed with centralized vendor networking and control is in place and timing can be auto-configured among clients

But it does requires time synchronization across the board and I think its quite unrealistic (to achieve reliably) in a *decentralized* SMTP public port environment of different servers and clients. Note the emphasis on decentralized.

Of course, the #1 reason it doesn't apply in an public port 25 SMTP standard is because it can not be enforced. And I should note that the discussions regarding 4yz policy based rejections w/o time hints, to me, was understood to be only applicable to unauthenticated, anonymous senders. Once a sender is known by any form of authentication, policies such as greylisting or other sender filtering methods should not be applied. I know there is the possibility of a compromised user, but thats a different set of issues (and most complex, costly considerations) in my opinion.


Hector Santos
jabber: hector(_at_)jabber(_dot_)isdg(_dot_)net

<Prev in Thread] Current Thread [Next in Thread>