[Dovecot] Sending email using IMAP

Jim Trigg jtrigg at spamcop.net
Fri Nov 3 19:47:24 UTC 2006

On Fri, November 3, 2006 1:36 pm, Marc Perkel wrote:
> Jim Trigg wrote:
>> On Fri, November 3, 2006 12:09 pm, Marc Perkel wrote:
>>> Gunter Ohrner wrote:
>>>> Am Donnerstag, 2. November 2006 23:43 schrieb Marc Perkel:
>>>>> email. And the virus wouldn't have access to the IMAP password so
>>>> Why not?
>>> Because the virus wouldn't have the password.
>> That doesn't answer the question.  Why would the IMAP password be any
>> less accessible to a virus than the SMTP password?  (For that matter,
>> what you just used was "proof by assertion" which is meaningless.  "The
>> virus wouldn't have access to the IMAP password because the virus
>> wouldn't have the password.")

> IMAP requires a password. SMTP it's optional. I think that consumer SMTP
> should be replaced with not only something that requires a password, but
> that the user has to log into the account that they are sending email
> from. SMTP doesn't have to be tied to IMAP accounts. If you have an SMTP
> account you can spoof anyone. My idea with IMAP sending is to deny the
> ability of the sender to use a different email address that the one that
> they are logged into. This is to prevent spam and spoofing.

Sorry, I thought the whole discussion was IMAP-sending versus SMTP-AUTH. 
Any submission port that is using neither SMTP-AUTH nor
pop/imap-before-smtp is not worth considering, and any that is using such
effectively requires a password to send email.  As for preventing
spoofing, there are scenarios in which it is necessary (real-life case
study available on request).


More information about the dovecot mailing list