[Dovecot] Sending email using IMAP

Marc Perkel marc at perkel.com
Fri Nov 3 19:00:08 UTC 2006 


Steven F Siirila wrote:
> On Fri, Nov 03, 2006 at 10:36:13AM -0800, Marc Perkel wrote:
>   
>> Jim Trigg wrote:
>>     
>>> On Fri, November 3, 2006 12:09 pm, Marc Perkel wrote:
>>>  
>>>       
>>>> Gunter Ohrner wrote:
>>>>    
>>>>         
>>>>> Am Donnerstag, 2. November 2006 23:43 schrieb Marc Perkel:
>>>>>
>>>>>      
>>>>>           
>>>>>> email. And the virus wouldn't have access to the IMAP password so
>>>>>>        
>>>>>>             
>>>  
>>>       
>>>>> Why not?
>>>>>      
>>>>>           
>>>  
>>>       
>>>> Because the virus wouldn't have the password.
>>>>    
>>>>         
>>> That doesn't answer the question.  Why would the IMAP password be any less
>>> accessible to a virus than the SMTP password?  (For that matter, what you
>>> just used was "proof by assertion" which is meaningless.  "The virus
>>> wouldn't have access to the IMAP password because the virus wouldn't have
>>> the password.")
>>>
>>> Jim Trigg
>>>
>>>  
>>>       
>> IMAP requires a password. SMTP it's optional.
>>     
>
> Not at the University of Minnesota.
> We require ESMTP STARTTLS/AUTH over the standard mail submission port (587).
>   
OK - but the rest of the world varies from what the University of 
Minnesota does.

>   
>> I think that consumer SMTP 
>> should be replaced with not only something that requires a password, but 
>> that the user has to log into the account that they are sending email 
>> from.
>>     
>
> Not necessary -- configure your mail server to match your policy requirements.
>   
Yes but it's optional. I've done it that way but others don't.

>   
>> SMTP doesn't have to be tied to IMAP accounts.
>>     
>
> Correct.  In fact, you can have multiple IMAP accounts configured in an
> e-mail client, but may have only 1 SMTP account set up (which doesn't even
> have to match up with any of the IMAP accounts).  At least in Thunderbird.
>   

But with outgoing IMAP you wouldn't have to configure outgoing email at all.
>   
>> If you have an SMTP account you can spoof anyone.
>>     
>
> That is an SMTP issue in general, not an authentication issue.
> If you have Internet access at all, you can spoof anyone by simply
> connecting to a remote port 25 and sending to your heart's content
> without needing any passwords...
>   

But you could limit a domain to require that the sending email come from 
the account of the receiving email.
>   
>> My idea with IMAP sending is to deny the 
>> ability of the sender to use a different email address that the one that 
>> they are logged into. This is to prevent spam and spoofing.
>>     
>
> You can certainly do this on your mail server, but you can't force every
> other server on the Internet to do the same.  :)
>   

But I think if we tightend up the spec some we could eliminate most spam.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dovecot.org/pipermail/dovecot/attachments/20061103/551f3859/attachment-0001.html

More information about the dovecot mailing list