Re: Question about auth and auth-optional

Sat, 24 May 2014 12:34:24 -0700 

On Sat May 24 2014 22:00, PP;QQ PP>QP:P8P= wrote:
> What is submission port?

587/tcp

> I noticed, that if option "auth" is specified, than nobody can send
> messages to my server without password, even gmail or other external
> services.

Yes, that's correct. This keyword is designed for the submission port.
You'll usually want to listen on this port to authenticated users, only.
That's what this keyword is used for.

> If option auth-optional is specified, i successfully receive mail from
> gmail, yandex and everything else. So, I think auth-optional is the
> only choise for most of servers, am i right? 

No. It's quite the opposite, actually. ;-)
Most servers use a dedicated port for anonymous connections (25/tcp),
and a dedicated port for authenticated users (587/tcp).

Yes, there *are* a lot of mail servers which also accept authenticated
sessions over port 25. This is a historical relict from the age where
most mail servers used this port for both, MTA and MSA (Mail Submission
Agent) functions. Sometimes, however, servers are deliberately
configured this way, e.g. due to technical restrictions, such as a
weirdly set up packet filter on the ISP's site.

> Could you help me with one more question, please. Will OpenSMTPD ever
> support non-tls PLAIN login auth mechanism? For me it is not a problem
> to use tls, but some old or thin mua does not support tls or ssl, i
> know this is not secure, but for the OpenSMTPD full greatness it would
> be nice. 

I tend to think this will not be the case, as this means we're taking a
step backwards regarding security and it obviously does not *solve* a
real practical problem, but *creates* real practical problems.

If there are real people in the whole wide world who're still using
ancient MUA software not speaking TLS, I'd reject them accessing my mail
servers and really push them to use modern software.

So, what's the "full greatness" you're talking about?

Norman

-- 
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]

Reply via email to