Re: Missing Option AuthRequiredForAllIPs

[Jacques Lema]

The auth mechanism works very well and I don't want to change anything 
to it. The only thing missing is the ability to advertise that AUTH is 
available _also_ to trusted hosts. The behaviour currently is that if 
the host is trusted (127.0.0.1 typically) james hides it's ability to 
receive auth connections (answer to EHLO doesn't contain "250 AUTH LOGIN 
PLAIN" anymore).

I don't see how allowing a trusted to see AUTH capability is a security 
threat (since all external untrusted hosts are allowed to see it obviously).

Danny Angus wrote:

What I would like is:

a) be able to send a mail from localhost without authentication
b) be able to send a mail from localhost (precisely from a
spam-filtering proxy such as ASSP) _with_ authentication.

As I understood it advertising AUTH supported is equivalet to requiring
auth, are you suggesting that we advertise AUTH required but still allow
unathenticated relaying?
If so I'm not sure that I'd support such a change as it introduces a
security hole in the AUTH mechanism. Far better to require AUTH from
everyone and deal with it, after all not requiring AUTH from localhost is
surely a convenience only. Most, surely all, methods of sending from
localhost will be indistingushable from remote proceses, all we are doing
is assigning some higher level of trust because we trust our local machine
and our ability to identify it.
d.

***************************************************************************
The information in this e-mail is confidential and for use by the addressee(s) only. 
If you are not the intended recipient (or responsible for delivery of the message to 
the intended recipient) please notify us immediately on 0141 306 2050 and delete the 
message from your computer. You may not copy or forward it or use or disclose its 
contents to any other person. As Internet communications are capable of data 
corruption Student Loans Company Limited does not accept any  responsibility for 
changes made to this message after it was sent. For this reason it may be 
inappropriate to rely on advice or opinions contained in an e-mail without obtaining 
written confirmation of it. Neither Student Loans Company Limited or the sender 
accepts any liability or responsibility for viruses as it is your responsibility to 
scan attachments (if any). Opinions and views expressed in this e-mail are those of 
the sender and may not reflect the opinions and views of The Student Loans Company Li
mited.
This footnote also confirms that this email message has been swept for the 
presence of computer viruses.
**************************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]