<<< Date Index >>>     <<< Thread Index >>>

Re: smtp_pass: why is it unneeded?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday, June 24 at 09:30 AM, quoth dv1445@xxxxxxxxx:
> I use mutt's IMAP to check my email, and mutt's built-in SMTP to 
> point to my remote SMTP server (that is, I have set 
> smtp_url=smtps://blah.com).  I also have set smtp_pass, but I've 
> discovered by accident that I can send mail even with smtp_pass 
> commented out, and without mutt asking me to enter that password.

So can I! But that's because I put the password into the smtp_url.

> It *seemed* that somebody (mutt, or the smtp server) is determining 
> the user name and password needed by the smtp server, by looking at 
> what imap_user and imap_pass are.

Unlikely. More likely, your server has implemented IMAP-before-SMTP, 
which means anyone from your IP address can send email via SMTP 
without a username or password. It's not that it's figuring out what 
your username and password are, it's that successful logins to your 
IMAP server probably put your IP address on a whitelist that your SMTP 
server uses. My server does the same thing... in part because some of 
my users really didn't want to understand SMTP-AUTH or enter their 
password into their email client more than once, and rather than roll 
my eyes and sigh at them and try and argue that two different email 
protocols are necessary and the ability to have different passwords 
for each is absolutely necessary, I just implemented IMAP-before-SMTP. 
The devil is in the details, and there are some drawbacks to this kind 
of policy (which I can get into, but is probably offtopic of this 
list), but it's a common-enough setup that I wouldn't be surprised if 
your server does it.

> However, this can't be right, because if I leave imap_user in place, 
> so that only smtp_pass and imap_pass are unset, I can send mail 
> without being prompted for anything.

So... your IMAP server will let you log in without a password?

> I'm beginning to wonder if I'm really getting authenticated smtp 
> service.

It's not authenticated (really) if you don't specify a user and 
password for SMTP... but you could consider that authenticating via 
IMAP authenticated you for SMTP as well. It's kinda all in how you 
look at it.

~Kyle
- -- 
And thou shalt smite the house of Ahab thy master, that I may avenge 
the blood of my servants the prophets, and the blood of all the 
servants of the LORD, at the hand of Jezebel. For the whole house of 
Ahab shall perish.
                                             -- Bible, II Kings (9:7-8)
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iEYEARECAAYFAkhhE0AACgkQBkIOoMqOI14YBgCeKcsoio3g9aEdpBAzI4tDPL9q
gxUAoKokoJrB6EHJ6Ar2Pw0wv7Gt9ysv
=3yNA
-----END PGP SIGNATURE-----