Andy Bakun writes:
The problem with not requiring a second authentication and authorization
is that the authorization to access the network is not the same as the
authorization to access the SMTP servers. But I agree that this may be
implicit, but I don't think that making it so is necessarily a wise
choice in all circumstances.
True enough. My own IP space is divided into ranges allowed to send
mail without further authentication and ranges not allowed to do so.
However, the latter amount to only a few of my users' addresses, and
most of my on-network users are considered authenticated by virtue of
being on my network.
MUAs
that have the ability to "remember passwords" help avoid user
inconvenience due to multiple authentication and authorization checks,
so doing multiple checks does help to make abuse of the network harder
for those who would abuse it and help any single point of failure that
would bring down the entire security setup.
OTOH, those same MUAs represent a threat when they're on laptops or
other computers that get stolen. Some of my users have been slow or
reluctant to have their passwords changed following such thefts.
Some have even forgotten that there even is such a thing as a password
when they never have to enter it for anything.
--
Dick St.Peters, stpeters(_at_)NetHeaven(_dot_)com
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com