We do pretty much the same thing. When moving the clients over from Exchange to UW-IMAP authentication was a problem. So we chose to use DRAC to integrate it with IMAP/POP3. It has been working great for two years.
I will also agree with Eric that a high percentage of the users out there are completely confused when we talk about things like setting permissions on SMTP auth. It's hard enough explaining what pop3 is. The pop-before-smtp in our case tracks by IP address. If they auth/access with either POP3 or IMAP they can send through SMTP for up to 30 minutes (default was 60, changed it before compile). As most clients check their email every 15 or so this isn't a problem. To ensure that we do not have problems we have several cronjobs the number of emails sent over the prior hour, if the number for any given client exceeds a threshold then we suspend the login account. It isn't elegant but it works. Here is one thing that we have encountered before though. We had a client that used to send out his newsletter to about 4000 people once a month but he didn't use SMTP to do it. He wrote a creative PHP page that would do it for him. I think some of the spammers do this as well. They can have a simple pre-designed web page that pulls they emails from a database, then they start spamming until the ISP shuts client down (during which time they get another freebee or cheap account). SMTP AUTH would do nothing to prevent this. Okay, now I'm just rambling... Gary Smith -----Original Message----- From: Eric W. Bates [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 6:53 AM To: [EMAIL PROTECTED] Subject: Re: pop-before-smtp Was: Opinions About SPF Greg Cirino - Cirelle Enterprises wrote: > | > -----Original Message----- > | > From: Bart Schaefer [mailto:[EMAIL PROTECTED] > | > > POP-before-SMTP requires no special client support. Just check your > | > > mail before you send any. There is no "problem" to discuss. > > SMTP-AUTH is a much better solution than P-b4-S and is more secure > > Greg We run an ISP, and have used a combination of pop-before-smtp and SMTP-AUTH for the last several years. We use both because customers are simply ineducable. When we can, we instruct folks to authenticate. We have not experienced race conditions. Since the tool tails a log file it is easy to tweak to parse the output from an imap (pop-before-smtp simply being a shorter name than parse-logfile-for-successful-authentication-under-other-protocol-before- allowing-smtp). Yes, many clients attempt to send before a pop; but believe it or not, the customers seem to prefer clicking "send/receive" twice rather than call us and learn. -- eric
