It is already as you say.
In my opinion (as a user setting up my configuration) we should always activate SMTP AUTH and define as authorized an IP or subnet *only by exception*. And this is how I set up my system, using SMTP AUTH plus one single IP explicitely authorized, because it runs a poor webmail application that does POP3 authentication but is unable to do SMTP authentication (going to change it soon :-) ).
In this thread we are instead discussing about having James announcing to IPs in such authorized subnets that it manages SMTP AUTH, in order to have any client MUA (or even MTA) *optionally* authenticate, as in such case our James MTA can do SMIME server side signatures (for example using the SMIMESign mailet). Obviously this would be a very special case...
Vincenzo
Lahu wrote:
Would it be better to prompt anyway for SMTP AUTH (it is not mandatory, but only a capability declaration, as I understand) and support further AUTH for authorized addresses too?
I was just wondering about it from a security standpoint. Having an entire subnet/multiple IP addresses defined as *Authorized* (and NOT asking for SMTP AUTH) might pose a problem in cases where the subnet/multiple IP's are compromised to viruses/worms/trojans. Every machine would start churning out hundreds of messages eventually getting spooled by JAMES. Hence, I believe having SMTP AUTH as a further step for already AUTH'd addresses would work gud in this situation.
Regards, Lahu
__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
