[Dovecot] Sending email over IMAP?

Les Mikesell lesmikesell at gmail.com
Thu May 4 19:54:34 EEST 2006 

On Thu, 2006-05-04 at 11:24, Marc Perkel wrote:
> > > 1) It would greatly simplify setup for clients as they would only have 
> > > to configure one connection rather than two.
> > >     
> > Why would it be easier for a client to add a new sending method
> > than to simply have an option to use the same credentials for
> > smtp auth for sending.
> >   
> But - if it were part of IMAP then half of the setup goes away.
> Outgoing email configuration goes away.

No it doesn't.  The other options are going to go away even if
this becomes another choice.

> > > 2) Spam reduction by authentication. The sending of email over the same 
> > > connection tells the server that the person who is the sender of the 
> > > email also has demonstrated they have access to read the account. This 
> > > would be a powerful whitelisting criteria for eliminating fake senders.
> > >     
> > Smtp auth already handles this.
> >   
> But - the incoming server and outgoing server can be and usually are
> different. I can send email spoofing anyone.

Again, adding another option doesn't change your ability to
spoof through an existing smtp server that allows it.  But
smtp servers don't have to allow it now.

> But if I send through IMAP I would be showing the server that the
> person sending the email has access to read the email.

What you are showing is that you know some user's password.
The same thing you show in smtp auth.

>  This would be powerful as an authentication mechanism. With
> authenticated SMTP all you are says to the world is that you have some
> account somewhere that will accept your email, but not that you can
> read it. See the difference?

No, in many/most cases it is the same server or at least
authenticating against the same login/password database.
    
> > Most current MUA's already handle smtp authentication and
> > ssl.  Why make things worse with yet another standard?
> >   
> Not making things worse with another standard, just convenient and it
> has the ability to demonstrate that the email came for the connection
> that read the email.

It does make things worse because no client knows how to do
it and there would be years of version confusion about
which ones do/don't support it if it is added now.

>  Is simplification and identity verification.

It might have been if it had been done before smtp auth.

-- 
  Les Mikesell
   lesmikesell at gmail.com

More information about the dovecot mailing list