[Dovecot] Sending email over IMAP?

Eric Rostetter rostetter at mail.utexas.edu
Thu May 4 20:59:52 EEST 2006


Quoting Marc Perkel <marc at perkel.com>:

>> And at least as many significant disadvantages.
> Such as?

See the list discussion for starters...

>> Most all MTA systems already allow authentication, so this buys you nothing.
> But it's a separate authentication.

No, it _CAN_ be a authenticate the same credentials, or different ones.
As long as the policy is to authenticate the same credentials, then it
is the same as your proposal.  Your proposal simply limits the options
already available, in a way that will probably upset people.

> You can authenticate as anyone or

Only if you know their credentials.

> you can find an unauthenticated server that serves that IP space.

You can do this with your service also.  Just because you say IMAP can
now send mail, doesn't mean I have to send my mail that way.

> What
> I'm proposing ties the sending to the account of the receive showing
> the server that the same person who can read the email is sending the
> email.

What you are proposing is what I currently implement with SMTP AUTH,
but over a single connection instead of two.  That's all.

Now, if you also define that this service would force a pre-set email
address on the mail sent (which you didn't mention, and which could also
be worked into most existing MTA's) _then_ you would move slightly towards
reducing spoofing (though not completely, as there are other types of
spoofing that the usual types).

> I can spoof Bill Gates email address and send it. But I can't do that
> with this protocol.

You didn't specify that.  You would need to define how this would work.
I would guess it would work very poorly...

For example, rostetter at mail.utexas.edu is just an alias that doesn't
really exists as an account. It is a forwarding alias that resolves
to my real account.  If you restricted me to only using my real address,
I'll not be able to post to the mailing list anymore since my posting
address won't match the subscribed address...  In other words, your
system will/could break mail usage for anyone who uses multiple aliases,
multiple addresses, multiple hosts names for the same machine, etc.

>> I don't think it matters if it is easy or difficult to do, either in
>> general or for any particular IMAP software.  But it does matter that
>> there is a standard.  And a way to fall back in the client for those
>> systems which pre-date the new standard.
>>
> I'm not suggesting that we eliminate the old standard but add another choice.

Just realize that in doing so, you don't get full advantage of your
desire for simplification in the setup process.

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!


More information about the dovecot mailing list