Quoting Marc Perkel marc@perkel.com:
And at least as many significant disadvantages. Such as?
See the list discussion for starters...
Most all MTA systems already allow authentication, so this buys you nothing. But it's a separate authentication.
No, it _CAN_ be a authenticate the same credentials, or different ones. As long as the policy is to authenticate the same credentials, then it is the same as your proposal. Your proposal simply limits the options already available, in a way that will probably upset people.
You can authenticate as anyone or
Only if you know their credentials.
you can find an unauthenticated server that serves that IP space.
You can do this with your service also. Just because you say IMAP can now send mail, doesn't mean I have to send my mail that way.
What I'm proposing ties the sending to the account of the receive showing the server that the same person who can read the email is sending the email.
What you are proposing is what I currently implement with SMTP AUTH, but over a single connection instead of two. That's all.
Now, if you also define that this service would force a pre-set email address on the mail sent (which you didn't mention, and which could also be worked into most existing MTA's) _then_ you would move slightly towards reducing spoofing (though not completely, as there are other types of spoofing that the usual types).
I can spoof Bill Gates email address and send it. But I can't do that with this protocol.
You didn't specify that. You would need to define how this would work. I would guess it would work very poorly...
For example, rostetter@mail.utexas.edu is just an alias that doesn't really exists as an account. It is a forwarding alias that resolves to my real account. If you restricted me to only using my real address, I'll not be able to post to the mailing list anymore since my posting address won't match the subscribed address... In other words, your system will/could break mail usage for anyone who uses multiple aliases, multiple addresses, multiple hosts names for the same machine, etc.
I don't think it matters if it is easy or difficult to do, either in general or for any particular IMAP software. But it does matter that there is a standard. And a way to fall back in the client for those systems which pre-date the new standard.
I'm not suggesting that we eliminate the old standard but add another choice.
Just realize that in doing so, you don't get full advantage of your desire for simplification in the setup process.
-- Eric Rostetter The Department of Physics The University of Texas at Austin
Go Longhorns!