<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
Steven F Siirila wrote:
<blockquote cite="mid20061103184229.GE25566@earth.tc.umn.edu"
type="cite">
<pre wrap="">On Fri, Nov 03, 2006 at 10:36:13AM -0800, Marc Perkel wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
Jim Trigg wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Fri, November 3, 2006 12:09 pm, Marc Perkel wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Gunter Ohrner wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Am Donnerstag, 2. November 2006 23:43 schrieb Marc Perkel:
</pre>
<blockquote type="cite">
<pre wrap="">email. And the virus wouldn't have access to the IMAP password so
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Why not?
</pre>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Because the virus wouldn't have the password.
</pre>
</blockquote>
<pre wrap="">That doesn't answer the question. Why would the IMAP password be any less
accessible to a virus than the SMTP password? (For that matter, what you
just used was "proof by assertion" which is meaningless. "The virus
wouldn't have access to the IMAP password because the virus wouldn't have
the password.")
Jim Trigg
</pre>
</blockquote>
<pre wrap="">IMAP requires a password. SMTP it's optional.
</pre>
</blockquote>
<pre wrap=""><!---->
Not at the University of Minnesota.
We require ESMTP STARTTLS/AUTH over the standard mail submission port (587).
</pre>
</blockquote>
OK - but the rest of the world varies from what the University of
Minnesota does.<br>
<br>
<blockquote cite="mid20061103184229.GE25566@earth.tc.umn.edu"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">I think that consumer SMTP
should be replaced with not only something that requires a password, but
that the user has to log into the account that they are sending email
from.
</pre>
</blockquote>
<pre wrap=""><!---->
Not necessary -- configure your mail server to match your policy requirements.
</pre>
</blockquote>
Yes but it's optional. I've done it that way but others don't.<br>
<br>
<blockquote cite="mid20061103184229.GE25566@earth.tc.umn.edu"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">SMTP doesn't have to be tied to IMAP accounts.
</pre>
</blockquote>
<pre wrap=""><!---->
Correct. In fact, you can have multiple IMAP accounts configured in an
e-mail client, but may have only 1 SMTP account set up (which doesn't even
have to match up with any of the IMAP accounts). At least in Thunderbird.
</pre>
</blockquote>
<br>
But with outgoing IMAP you wouldn't have to configure outgoing email at
all.<br>
<blockquote cite="mid20061103184229.GE25566@earth.tc.umn.edu"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">If you have an SMTP account you can spoof anyone.
</pre>
</blockquote>
<pre wrap=""><!---->
That is an SMTP issue in general, not an authentication issue.
If you have Internet access at all, you can spoof anyone by simply
connecting to a remote port 25 and sending to your heart's content
without needing any passwords...
</pre>
</blockquote>
<br>
But you could limit a domain to require that the sending email come
from the account of the receiving email.<br>
<blockquote cite="mid20061103184229.GE25566@earth.tc.umn.edu"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">My idea with IMAP sending is to deny the
ability of the sender to use a different email address that the one that
they are logged into. This is to prevent spam and spoofing.
</pre>
</blockquote>
<pre wrap=""><!---->
You can certainly do this on your mail server, but you can't force every
other server on the Internet to do the same. :)
</pre>
</blockquote>
<br>
But I think if we tightend up the spec some we could eliminate most
spam.<br>
<br>
</body>
</html>