Re: [Asrg] 6. Proposals: MTA MARK vs port 25 filtering?

[Philip Miller <millenix@zemos.net>]

Hector Santos wrote:
> My only input with this would be to be aware that ESMTP AUTH is typically
> also used to open routing access in addressing the dynamic IP roaming user.
> It also enforces a non-null address, and in our case, optionally enforces or
> restricts the return path domain provided.
>
> In other words, ESMTP AUTH trumps all.   LMAP or no LMAP,  it opens routing
> to users.
Yes, except that AUTH does nothing on the public internet if spammers can 
originate messages from someone without authenticating as that someone. 
These are complementary. LMAP makes it so that mail from a given address can 
only come from a limited set of servers, and AUTH lets those servers ensure 
that the address on mail they're transmitting is not forged.
AUTH is only useful within an organization, not across the public internet. 
You can't expect to connect to one of AOL's MX servers, AUTH as somebody 
(how would you if you're not an AOL subscriber?), and have that server 
accept your mail. Note that a roaming user connecting to the home server is 
'within an organization'.

> Note, there are 3 basic ways email (smtp/pop3) server vendors open access to
> relaying/routing:
>
> 1)  The traditional IP relay tables
> 2)  ESMTP AUTH
> 3)  POP3 BEFORE SMTP
>
> The latter often used by ISP to reduce the user support issues created by
> the first two.  The first doesn't help the roaming user problem and the
> second require ESMTP ready end-user software and additional ISP setup
> instructions for the user.
Every major MUA has supported AUTH for a long time, AFAIK. Outlook, Outlook 
Express, Netscape (in all variants since at least 4), Eudora, etc. The real 
cost is user implementation. It imposes a massive support cost on any 
organization that does not control the machines used to send mail, such as 
most commercial ISPs. Note, however, that this does not affect AOL, because 
users must login before they can originate email. They have a semantically 
more sensible equivalent to POP-before-SMTP.

> However, POP3 BEFORE SMTP is based on the premise that most end-user mail
> software POP3 into a system before SENDING any mail.   For example, you will
> see this option in Outlook as
>
>             (*)  Pick up mail first before sending mail
>
> or something like that as alternative option to ( ) Server requires login to
> send mail.
POP-before-SMTP was an ugly hack to make up for shortcomings in existing 
software. Unfortunately, it stuck. It's clearly obsoleted by SMTP AUTH, but 
there's no compelling reason for users to switch, and thus ISPs have to deal 
with the inertia of their users. I think we're going to have to live with it 
for a long time.
However, that does not change the fact that LMAP and user authentication 
target 2 complentary but separate problems: domain forgery, which prevents 
holding anyone accountable, and user forgery, which is a nuisance best dealt 
with by the organization that hosts the user's address, since they are 
uniquely able to authenticate the user.

Philip Miller


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg