Frank Ellermann wrote:
johnp wrote:
Why should I bother with authenticating my users smtp log-in
with anything other than POP-before-SMTP? That is similar to
the ISP's log-in - a plain username/password combination.
With APOP it's better than USER + PASS.
Unfortunately the most-used MUA doesn't support APOP (Outlook Express)
POP-before-SMTP is
very clumsy in some situations, one story I heard: User's PC
is always online and automatically checks POP (once per 15
minutes or similar). At the same time the user is roaming
and wants to send mail from his laptop. That can result in
collisions blocking the roaming user.
And POP-before-SMTP once used to be "this IP may send for some
time", but if it's a dyn. IP another user of the same ISP can
get and abuse it to spam (for "another user" read zombie): It
is not necessarily straight forward to analyze this problem -
the abused IP wasn't "enabled" by the spammer, but by another
innocent user who used it before to access his POP mailbox.
If it's restricted to check IP and MAIL FROM (the famous 2476
"enforced submission rights") it's almost as "good" as ESMTPA
(SMTP AUTH), but otherwise it's clumsy. And for roaming users
that's in fact only "not much worse".
I might now have to relax that in order to keep some of my
customers because opening the extra 2 windows to configure
Outlook on one occaision is difficult for them
My stoneage MUA doesn't support SMTP AUTH at all... <shrug />
What is your MUA - and how do you authenticate securely?
Slainte,
JohnP
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com