Hi Noel, Am Montag, 24. Juli 2006 04:15 schrieb Noel J. Bergman: > And in ancient days, almost all mail servers were open relays. And we also > didn't used to have so many hotels, Internet cafes, offices, even some > service providers, using non-routable subnets and a single gateway IP. But > with massive explosion of Internet access points and very little pickup for > IPv6, non-routable subnets are now more the norm than the exception. > > POP3 before SMTP was a quick hack because POP3 already had authentication, > and SMTP didn't have it (at the time). Even sites, such as ORDB, that > recommend POP3 before SMTP say that STMP AUTH would be preferable. Even > POP3 is dangerous without SSL. All of these protocols date back to long > gone days when the population of the Internet was trustworthy.
I never said that POP3 before SMTP is preferable over SMTP-AUTH. I just say changing to SMTP-AUTH might cost a Service-Provider several thousand dollars. And POP3 before SMTP is an alternative, that saves him that money. > > You can read the explanation about a different project and how it > > handles this here: http://popbsmtp.sourceforge.net/manpage.shtml > > Yes, I know. Your point? Do you deny that mapping just the IP opens the > door to re-use by everyone else using the gateway router? Yes I deny. My point is. There are numerous implementations out there. I myself administer a 10.000+ Account E-Mail Server. Although using qmail+vpopmail there. We have been using POP3 before SMTP there and never ever had a Spamming Problem because of POP3 before SMTP. Again why implement it different than one would expect from it (Users and Administrators)? >>> Better would to be to maintain {ID, IP}-tuples. >>> Although that would be more difficult, or perhaps less useful, in virtual >>> user table situations, since the POP3 USER and the SMTP MAIL FROM would be >>> different, it would be better than creating Open Relays; >> >> exactly. > > And so we agree, and need not argue the point. :-) Do we? I wrote "exactly", because this would mean to make POP3 before SMTP less useful. I also wrote in the example why. Multiple Identities, Username <> E-Mail Adress. But just curious. I understand you correctly, that the ID is the Users' E-Mail Adress, or Username? > > Then again the question at hand is why implement it different from > > what the System Administrator would expect? > > Because I'm interested in security and correct behavior, not jumping off an > old bridge that dates back to days when SMTP AUTH wasn't as common. Ok. But SMTP is an old protocol as well. If you are a security aware person. One would not define the SMTP Protocol today as one did back in 1982. Transferring possibly confidential Data in Plaintext. Numerous Enhancements showed that. There even have been alternative approaches as with qmail and QMTP. Would just because of that ancient RFC implement the protocol different? That said, I know there is no RFC for POP3 before SMTP. And because of the RFC you would not iplement SMTP Protocol different. I just say that james should not implement it different than any other Mailserver does or 3rd party solution does. I t could be a configurable feature though, possibly giving the Administrator the coice, as we know, choice is a good thing :) -- Kind regards Juergen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
