[Dovecot] Sending email using IMAP

Steven F Siirila sfs at tc.umn.edu
Sat Nov 4 15:05:08 UTC 2006

On Sat, Nov 04, 2006 at 06:53:29AM -0800, Marc Perkel wrote:
> Magnus Holmgren wrote:
> >On Friday 03 November 2006 19:36, Marc Perkel took the opportunity to say:
> >  
> >>IMAP requires a password. SMTP it's optional. I think that consumer SMTP
> >>should be replaced with not only something that requires a password, but
> >>that the user has to log into the account that they are sending email
> >>from. SMTP doesn't have to be tied to IMAP accounts. If you have an SMTP
> >>account you can spoof anyone. My idea with IMAP sending is to deny the
> >>ability of the sender to use a different email address that the one that
> >>they are logged into. This is to prevent spam and spoofing.
> >>    
> >
> >You never give up, do you? Every time you propose submission by IMAP many 
> >people tell you that there is no fundamental difference between that and 
> >authenticated SMTP. Every ISP in the world, including the large-scale 
> >spammers who act as ISPs themselves, would have to employ suitable 
> >policies to avoid transmitting spoofed email. SMTP will still be used to 
> >transmit the mail to its destinations. Real authenticity is achieved using 
> >digital signatures, e.g. DKIM, in combination with SPF and your personal 
> >trust preferences. For example, GMail allows their users to send mail from 
> >any email address they can demonstrate that they own. That's good, that's 
> >what yoy want, and it is completely unrelated to IMAP.
> >
> >  
> There is a fundamental difference.
> 1) You can use SMTP or authenticated SMTP to authenticate and send email 
> through ANY server and it doesn't require that the authentication have 
> anything to do with the authentication of the IMAP account. If you had 
> an IMAP protocol to send email then you could lock out the SMTP 
> protocols for end users and force the to have to authenticate using the 
> same protocols. This gives you several advantages. You can make it so 
> that the from address and reply to address match the IMAP account 
> prohibiting spoofing of email addresses. It can be used to prevent user 
> mischief.

You can do the same thing with authenticated SMTP (tie the from address
and reply to address to the authenticated user).

> 2) It eliminated 50% of user setup in that once you set up IMAP you need 
> not set up oupgoing email.


> 3) It gets you around port blocking. If you can receive email you can 
> send email This is good for those traveling who have trouble finding a 
> working SMTP server.

So does standardizing on the already-established submission port (587).

> 4) A server who advertizes through DNS that they have these restrictions 
> can prevent spam as other servers can reject spam from that domain that 
> comes from outside the rules advertized.

If you can get LOTS of folks to advertise something via DNS, I have much
better ways to reject spam.  For example, get IP network owners to publish
IP addresses which are never authorized to send direct-to-MX mail.  This
would eliminate tons of spam from zombies on dynamic IP addresses.

> 5) Why use 2 protocols when you can use one?

Because they're industry standards and in wide use.


Steven F. Siirila			Office: Lind Hall, Room 130B
Internet Services			E-mail: sfs at umn.edu
Office of Information Technology	Voice: (612) 626-0244
University of Minnesota			Fax: (612) 626-7593

More information about the dovecot mailing list