At 08:57 30/01/2004, Lyndon Nerenberg wrote:
As far as authorizing and authenticating the source: Who cares where the
message was injected at? What matters is who sent it. All the attempts to
block IP addresses just make my life hell when I'm on the road. These
schemes don't authenticate *me* in any way, shape, or form. So if you mean
authorizing and authenticating the *composer* of the message, now we're
back to the application layer, and beyond the scope of the messaging transport.
Sorry. I disagree totally.
If I have proper user level authentication at my servers, I don't need to
block any IP addresses. You can log on to your 'home' mail server from
anywhere in the world, because you can log on to it and it knows who you
are. You can then send all your mail through your home mail server. Any
other mail servers can then know that your email address has not been faked
by a spammer, because your messages have come from a mail server which is
authorised to send mail from your domain, and which has correctly
authenticated you as the sender. This seems quite straightforward to me.
If you send your message through another mail server, then there is NO WAY
of knowing who sent it, unless you use something like PGP or S/MIME, which
is complex to set up and requires costly (and PITA) certificates (for
S/MIME) or is easy to fake when sending to someone new (PGP). IME these
systems just don't work well at the moment, and I can't see how they could
work well in a next-generation system. There are easier solutions, so why
not use them?
If you don't have user level authentication, you MUST have IP address
blocking, or you create a haven for spammers.
I see user level authentication as being a MUST for any next generation
mail system. (If all MTAs/MUAs supported SMTP authentication now, life
would be a lot easier for everyone)
Paul VPOP3 - Internet Email Server/Gateway
support(_at_)pscs(_dot_)co(_dot_)uk http://www.pscs.co.uk/