james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Lin <kennethlin2...@yahoo.com>
Subject RE: james SMTP authentication enforcement
Date Fri, 10 Mar 2006 23:09:37 GMT
Yes. I will ensure the fix will never block email to postmaster.
  Per prior discussion on the default behavior for SMTP authentication, I hope to classify
the 2 types of email traffic:
  (1) inter-domain: the sender and recipient address contain different domain name
  (2) intra-domain: the sender and recipient address contain same domain name.
  I so-far hear two arguments that we should not enforce SMTP authentication for intra-domain
  (1) RFC requires us to delivery to postmaster. Further, there might a business need for
a list of "guaranteed delivery" emails.
  (2) Intra-domain emails are less important than inter-domain emails.  SMTP authentication
doesn't completely prevent inter-domain email  address spoofing, so we shouldn't use it to
prevent "intra-domain"  spoofing.
  I think argument (1) is valid, and we should address it.
  However, I feel argument (2) is invalid.
  Intra-domain problem is quite important for large corporation (say  corporation > 100
people) and large ISPs (like aol, yahoo, gmail or  hotmail), because in these cases intra-domain
emails is a significant  portion all email traffic (especially in large corporations). 
  Intra-domain emails is not easy to protect either because of factors  like large number
of users, possibility of malicious attacks (worms or  human), and inability to constraint
user's IP address (in case of  yahoo, gmail, etc.)
  People do forget password from time to time, so I can see the  administrator might want
make exception for a small list of special  destination addresses (like postmaster@, abuse@,
support@, etc). 
  However, if administrator does turn on SMTP authentication, email  client of internal users
will anyway need to be set up to send in  authentication information on every SMTP request.
I wonder why the the  administrator wants to deliberately disable SMTP authentication for
ALL  intra-domain emails (which is the current behavior of James). Why  should SMTP only protect
emails sent to outside of corporation, and not  emails to a corporation?

"Noel J. Bergman" <noel@devtech.com> wrote:  > RFC 2821 - Simple Mail Transfer Protocol
> 4.5.1 Minimum Implementation
>   Any system that includes an SMTP server supporting mail relaying or
>   delivery MUST support the reserved mailbox "postmaster" as a case-
>   insensitive local name.

See also: http://www.rfc-ignorant.org/

People really do maintain block lists of those who do not properly follow
the RFCs.

 --- Noel

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze. 
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message