Since section 5 "Message Submission Authentication/Authorization
Technologies" mentions only SMTP AUTH and TLS, does it mean that
authentication by IP addresses is forbidden? I ask so because it is
currently the most common way to weakly authenticate local users. Is
it covered by "Depending upon the environment, different mechanisms
can be more or less effective and convenient"?
The latter. The intention is to encourage everyone to use AUTH or
TLS, since they tend to provide better granularity than IP
authentication. For example, it's dismayingly common to use security
holes to install scripts on web servers that send out spam. If the
legit scripts all used AUTH when sending mail to the local mail
server, it would be immediately obvious when a rogue script were
sending mail.
Side note: on Unix, will cron be forced to authenticate to send emails
at 2 am? :-)
Perhaps a sentence or two clarifying that this only applies to SMTP and
SUBMIT would be in order.
R's,
John
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf