james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J├╝rgen Hoffmann ...@byteaction.de>
Subject Re: POP3 and other handlers ...
Date Mon, 24 Jul 2006 05:07:55 GMT
Hi Noel,

Am Montag, 24. Juli 2006 04:15 schrieb Noel J. Bergman:
> And in ancient days, almost all mail servers were open relays.  And we also
> didn't used to have so many hotels, Internet cafes, offices, even some
> service providers, using non-routable subnets and a single gateway IP.  But
> with massive explosion of Internet access points and very little pickup for
> IPv6, non-routable subnets are now more the norm than the exception.
>
> POP3 before SMTP was a quick hack because POP3 already had authentication,
> and SMTP didn't have it (at the time).  Even sites, such as ORDB, that
> recommend POP3 before SMTP say that STMP AUTH would be preferable.  Even
> POP3 is dangerous without SSL.  All of these protocols date back to long
> gone days when the population of the Internet was trustworthy.

I never said that POP3 before SMTP is preferable over SMTP-AUTH. I just say 
changing to SMTP-AUTH might cost a Service-Provider several thousand dollars. 
And POP3 before SMTP is an alternative, that saves him that money.

> > You can read the explanation about a different project and how it
> > handles this here: http://popbsmtp.sourceforge.net/manpage.shtml
>
> Yes, I know.  Your point?  Do you deny that mapping just the IP opens the
> door to re-use by everyone else using the gateway router?

Yes I deny. My point is. There are numerous implementations out there. I 
myself administer a 10.000+ Account E-Mail Server. Although using 
qmail+vpopmail there. We have been using POP3 before SMTP there and never 
ever had a Spamming Problem because of POP3 before SMTP. Again why implement 
it different than one would expect from it (Users and Administrators)?

>>> Better would to be to maintain {ID, IP}-tuples.
>>> Although that would be more difficult, or perhaps less useful, in virtual
>>> user table situations, since the POP3 USER and the SMTP MAIL FROM would be
>>> different, it would be better than creating Open Relays;
>>
>> exactly.
>
> And so we agree, and need not argue the point.  :-)

Do we? I wrote "exactly", because this would mean to make POP3 before SMTP 
less useful. I also wrote in the example why. Multiple Identities, Username 
<> E-Mail Adress. But just curious. I understand you correctly, that the ID 
is the Users' E-Mail Adress, or Username?

> > Then again the question at hand is why implement it different from
> > what the System Administrator would expect?
>
> Because I'm interested in security and correct behavior, not jumping off an
> old bridge that dates back to days when SMTP AUTH wasn't as common.

Ok. But SMTP is an old protocol as well. If you are a security aware person. 
One would not define the SMTP Protocol today as one did back in 1982. 
Transferring possibly confidential Data in Plaintext. Numerous Enhancements 
showed that. There even have been alternative approaches as with qmail and 
QMTP.

Would just because of that ancient RFC implement the protocol different?

That said, I know there is no RFC for POP3 before SMTP. And because of the RFC 
you would not iplement SMTP Protocol different. I just say that james should 
not implement it different than any other Mailserver does or 3rd party 
solution does. I t could be a configurable feature though, possibly giving 
the Administrator the coice, as we know, choice is a good thing :) 

-- 
Kind regards

Juergen 



---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message