On Sat, 3 Feb 2001 02:54:10 -0800 (PST), Howard Schwartz wrote:
> My corporate ISP just installed what the level-1 techs call a ``spam
> filter'' for the SMTP mail server. As a result, this server refuses
> to send mail out to anyone not already in its domain, unless my
> mail transport software identifies me as a trusted user, presumably
> with a userid and password.
> Therefore my old friends, Dos smtp mail transport software like
> Alfredo Cole's smtpop or fdsmtpop, no longer work. ``In the old
> days'' the pop3 protocol authenticated by asking for a user name
> and password, but the SMTP protocol did not. Consequently, older
> smtp transport programs do not send protocol messages, for example,
> that use the new ``auth' (authorization) command --.
> I do not know too much about SMTP authentication, except that
> there are several ways to do it (e.g., CRAM-MD3, PLAIN, LOGIN methods),
> that some of them use MIME to encrypt your password, that some of them
> use a new STMP command called `auth' or `auth=<identity>'. I have
> not tried arachne's insight yet to see if it has SMTP authentication.
> Can any one help me figure out if I can tweak my old SMTP programs to
> provide some form of this authentication? I was hoping this might be
> done with some varient of the traditional `HELO' command, or by
> first logging in to the POP server, giving my identity, and then
> switching to SMTP.
> Any ideas? I hate to see my dos smtp days coming to an end.
Hello Howard:
I have been reading about problems with this new SMTP authentication
protocol here and also on some other lists and in some newsgroups. I
don't understand why one's own ISP would require a person already logged
onto to their system to authenticate himself to the ISPs own smtp server.
The ISP already knows that you are OK because you had to supply a user
name and a password to log onto their system and connect to the internet.
These authentication measures should not be necessary when one is trying
to send messages out of his own ISP's smtp server. If one were trying to
send messges out of somebody else's ISP's smtp server, then that would be
another story because the other ISP doesn't know who he is or whether he
has permission to use their system's smtp server.
So my question is: Why does one need to authenticate himself to his own
system's smtp server? They already know who you are and they know you are
OK because you are already logged on to their own system by using a
username and a password that they have already authorized and they have
already matched to your identity. My ISP's smtp server does not have an
authentication protocol, but unless you are connected to "shentel.net" I
don't think there is any way you can send a message out of
"smtp.shentel.net" unless you have obtained some subscriber's username and
password and have used this information to illegally log in to "shentel.net"
If usernames and passwords have already been compromised, then the smtp
authentication protocol would not provide any increased security whatsoever.
Sam Heywood
-- This mail was written by user of The Arachne Browser - http://arachne.cz/
