On Sat, Nov 04, 2006 at 06:53:29AM -0800, Marc Perkel wrote:
Magnus Holmgren wrote:
On Friday 03 November 2006 19:36, Marc Perkel took the opportunity to say:
IMAP requires a password. SMTP it's optional. I think that consumer SMTP should be replaced with not only something that requires a password, but that the user has to log into the account that they are sending email from. SMTP doesn't have to be tied to IMAP accounts. If you have an SMTP account you can spoof anyone. My idea with IMAP sending is to deny the ability of the sender to use a different email address that the one that they are logged into. This is to prevent spam and spoofing.
You never give up, do you? Every time you propose submission by IMAP many people tell you that there is no fundamental difference between that and authenticated SMTP. Every ISP in the world, including the large-scale spammers who act as ISPs themselves, would have to employ suitable policies to avoid transmitting spoofed email. SMTP will still be used to transmit the mail to its destinations. Real authenticity is achieved using digital signatures, e.g. DKIM, in combination with SPF and your personal trust preferences. For example, GMail allows their users to send mail from any email address they can demonstrate that they own. That's good, that's what yoy want, and it is completely unrelated to IMAP.
There is a fundamental difference.
- You can use SMTP or authenticated SMTP to authenticate and send email through ANY server and it doesn't require that the authentication have anything to do with the authentication of the IMAP account. If you had an IMAP protocol to send email then you could lock out the SMTP protocols for end users and force the to have to authenticate using the same protocols. This gives you several advantages. You can make it so that the from address and reply to address match the IMAP account prohibiting spoofing of email addresses. It can be used to prevent user mischief.
You can do the same thing with authenticated SMTP (tie the from address and reply to address to the authenticated user).
- It eliminated 50% of user setup in that once you set up IMAP you need not set up oupgoing email.
Minor.
- It gets you around port blocking. If you can receive email you can send email This is good for those traveling who have trouble finding a working SMTP server.
So does standardizing on the already-established submission port (587).
- A server who advertizes through DNS that they have these restrictions can prevent spam as other servers can reject spam from that domain that comes from outside the rules advertized.
If you can get LOTS of folks to advertise something via DNS, I have much better ways to reject spam. For example, get IP network owners to publish IP addresses which are never authorized to send direct-to-MX mail. This would eliminate tons of spam from zombies on dynamic IP addresses.
- Why use 2 protocols when you can use one?
Because they're industry standards and in wide use.
--
Steven F. Siirila Office: Lind Hall, Room 130B Internet Services E-mail: sfs@umn.edu Office of Information Technology Voice: (612) 626-0244 University of Minnesota Fax: (612) 626-7593