On Thu, 6 Feb 2003, Chuck Yerkes wrote: > POP-b4-SMTP is risky at best and fails at worst. > Clients have planned to use it and have found great pain after > deploying dozens of laptops. There are those who chose > it even after SMTP AUTH was available and clearly the "Right Answer" > to replace the hack that is POP-b4-SMTP.
As an additional note for this - and ESPECIALLY applicable to laptops. Lots of ISPs block port 25 transactions outside their local networks to prevent direct-to-MX spammers operating out of their dialups. As a result, roaming users need to use the MSA port instead of SMTP and there are security issues involved with using plaintext SMTP AUTH - as in anyone can read the passwords if they happen to be sniffing the traffic(*), so you'd better use SSL too. (*) Anyone doing traffic accounting for starters. > The POP request comes in, your script enables anyone coming > from that AOL host to relay freely for 20 minutes <shudder> > but your SMTP connection comes in via a different relay. You > are denied. Ooops. and some software (outlook express) does smtp before pop3, so even if pop-before-smtp is enabled, users will still ring you up complaining that things don't work. > SMTP-AUTH is almost always the right answer at this point. > Even for internal LAN mail (keeps some guy who got on your > 802.11a line from spamming). Or the spammer coming in via a customer's promiscuious TCP port 25 proxy from abusing your smarthost..
