spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Can this really be true?

2005-09-22 17:36:58
On Thu, 2005-09-22 at 17:47 -0400, Dick St.Peters wrote:
johnp writes:
Can anyone see anything right about this arrangement - or am I 
blinkered/stupid?

I think you're pursuing the wrong weakness.  When users have to
authenticate to get on the network, what is wrong with the network's
mail relay not requiring a second authentication to send mail?

The problem with not requiring a second authentication and authorization
is that the authorization to access the network is not the same as the
authorization to access the SMTP servers.  But I agree that this may be
implicit, but I don't think that making it so is necessarily a wise
choice in all circumstances.

Consider the case of a home wireless connection that anyone with a
wireless card can get on.  If the ability to be on the network
authorizes anyone to use the SMTP servers, then a rogue laptop could
send through the SMTP servers.  Admittedly, the access point should be
secured also, but multiple points of authorization checks (which may
require additional authentication checks also) help combat that.  MUAs
that have the ability to "remember passwords" help avoid user
inconvenience due to multiple authentication and authorization checks,
so doing multiple checks does help to make abuse of the network harder
for those who would abuse it and help any single point of failure that
would bring down the entire security setup.

The same could be said for a business account that has an office NAT'ed
behind a single link.  One of the ways to enforce that users drop mail
off on the local SMTP server rather than using the ISP's server directly
would be to use a password on the ISP's SMTP server, and the local SMTP
server uses the ISP's server as it's smart host (postfix, for example,
supports authentication to smart hosts).  This would, of course, be in
addition to various transparent proxies setup to direct all SMTP traffic
to the local server.

-- 
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com