mail-ng
[Top] [All Lists]

Re: Why are we here? What are our goals?

2004-01-30 04:25:12

At 08:57 30/01/2004, Lyndon Nerenberg wrote:
As far as authorizing and authenticating the source: Who cares where the message was injected at? What matters is who sent it. All the attempts to block IP addresses just make my life hell when I'm on the road. These schemes don't authenticate *me* in any way, shape, or form. So if you mean authorizing and authenticating the *composer* of the message, now we're back to the application layer, and beyond the scope of the messaging transport.

Sorry. I disagree totally.

If I have proper user level authentication at my servers, I don't need to block any IP addresses. You can log on to your 'home' mail server from anywhere in the world, because you can log on to it and it knows who you are. You can then send all your mail through your home mail server. Any other mail servers can then know that your email address has not been faked by a spammer, because your messages have come from a mail server which is authorised to send mail from your domain, and which has correctly authenticated you as the sender. This seems quite straightforward to me.

If you send your message through another mail server, then there is NO WAY of knowing who sent it, unless you use something like PGP or S/MIME, which is complex to set up and requires costly (and PITA) certificates (for S/MIME) or is easy to fake when sending to someone new (PGP). IME these systems just don't work well at the moment, and I can't see how they could work well in a next-generation system. There are easier solutions, so why not use them?

If you don't have user level authentication, you MUST have IP address blocking, or you create a haven for spammers.

I see user level authentication as being a MUST for any next generation mail system. (If all MTAs/MUAs supported SMTP authentication now, life would be a lot easier for everyone)


Paul                            VPOP3 - Internet Email Server/Gateway
support(_at_)pscs(_dot_)co(_dot_)uk                     http://www.pscs.co.uk/