Marc Perkel wrote:
IMAP requires a password. SMTP it's optional. I think that consumer SMTP should be replaced with not only something that requires a password, but that the user has to log into the account that they are sending email from. SMTP doesn't have to be tied to IMAP accounts. If you have an SMTP account you can spoof anyone. My idea with IMAP sending is to deny the ability of the sender to use a different email address that the one that they are logged into. This is to prevent spam and spoofing.
I don't know what SMTP software you're using, but on my servers port 587 *requires* authentication and port 25 requires authentication in order to relay mail. Of course, once authenticated, you can put anything you want for sender address but that, too, can be prevented with a reasonable MTA and correct configuration.
Basically, my point is that you can configure your SMTP server to enforce whatever restrictions you want on the envelope or even the headers. Just because you can configure it to be an open relay doesn't mean you have to have it configured that way.
-- William Astle Lexicom Ltd. Phone: +1-403-262-6610 Long Distance: 1-877-426-6277 Email: astle@lexi.net