[Dovecot] Sending email using IMAP

Steven F Siirila sfs at tc.umn.edu
Fri Nov 3 18:42:29 UTC 2006


On Fri, Nov 03, 2006 at 10:36:13AM -0800, Marc Perkel wrote:
> 
> 
> Jim Trigg wrote:
> >On Fri, November 3, 2006 12:09 pm, Marc Perkel wrote:
> >  
> >>Gunter Ohrner wrote:
> >>    
> >>>Am Donnerstag, 2. November 2006 23:43 schrieb Marc Perkel:
> >>>
> >>>      
> >>>>email. And the virus wouldn't have access to the IMAP password so
> >>>>        
> >
> >  
> >>>Why not?
> >>>      
> >
> >  
> >>Because the virus wouldn't have the password.
> >>    
> >
> >That doesn't answer the question.  Why would the IMAP password be any less
> >accessible to a virus than the SMTP password?  (For that matter, what you
> >just used was "proof by assertion" which is meaningless.  "The virus
> >wouldn't have access to the IMAP password because the virus wouldn't have
> >the password.")
> >
> >Jim Trigg
> >
> >  
> 
> IMAP requires a password. SMTP it's optional.

Not at the University of Minnesota.
We require ESMTP STARTTLS/AUTH over the standard mail submission port (587).

> I think that consumer SMTP 
> should be replaced with not only something that requires a password, but 
> that the user has to log into the account that they are sending email 
> from.

Not necessary -- configure your mail server to match your policy requirements.

> SMTP doesn't have to be tied to IMAP accounts.

Correct.  In fact, you can have multiple IMAP accounts configured in an
e-mail client, but may have only 1 SMTP account set up (which doesn't even
have to match up with any of the IMAP accounts).  At least in Thunderbird.

> If you have an SMTP account you can spoof anyone.

That is an SMTP issue in general, not an authentication issue.
If you have Internet access at all, you can spoof anyone by simply
connecting to a remote port 25 and sending to your heart's content
without needing any passwords...

> My idea with IMAP sending is to deny the 
> ability of the sender to use a different email address that the one that 
> they are logged into. This is to prevent spam and spoofing.

You can certainly do this on your mail server, but you can't force every
other server on the Internet to do the same.  :)

-- 

Steven F. Siirila			Office: Lind Hall, Room 130B
Internet Services			E-mail: sfs at umn.edu
Office of Information Technology	Voice: (612) 626-0244
University of Minnesota			Fax: (612) 626-7593


More information about the dovecot mailing list