[Top] [All Lists]

Re: SMTP Kerberos support

2011-11-02 17:11:11

On 11/2/11 1:57 PM, Hector Santos wrote:
Of course, the #1 reason it doesn't apply in an public port 25 SMTP standard is because it can not be enforced. And I should note that the discussions regarding 4yz policy based rejections w/o time hints, to me, was understood to be only applicable to unauthenticated, anonymous senders. Once a sender is known by any form of authentication, policies such as greylisting or other sender filtering methods should not be applied. I know there is the possibility of a compromised user, but thats a different set of issues (and most complex, costly considerations) in my opinion.

Authenticating outbound SMTP servers provides an effective enforcement method for dealing with compromised systems. Ensuring certainty of a requirement to mitigate compromised accounts makes this happen. A preliminary authentication process providing a lead of many hours offers a reasonable strategy to offer advanced notice when a problem requires intervention. Often this only entails a reply that action will be taken.

To get an idea about how Kerberos might be deployed in wider environments, see RFC6281. Duration of these tickets were set at 10 hours. Not exactly a difficult timing constraint. There could also be servers acting in their stead to facilitate ticket retrial when clients are within highly constrained environments.


<Prev in Thread] Current Thread [Next in Thread>