Re: smtp_pass: why is it unneeded?
- To: mutt-users@xxxxxxxx
- Subject: Re: smtp_pass: why is it unneeded?
- From: Kyle Wheeler <kyle-mutt@xxxxxxxxxxxxxx>
- Date: Tue, 24 Jun 2008 10:31:12 -0500
- Comment: DomainKeys? See http://domainkeys.sourceforge.net/
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=memoryhole.net; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=default; bh=/KZOdspSgPfeToeUp2a7ZE0sABs=; b=dQ31 Qn9sOPvlV6v+y2R2ZiUuuTF5IwAYquuBaasZXE6/SFRwOmYOkFXODijCxVaaNaMY 0lfo2B+qrCqJIL2/Vg5i6fEpaTlxTYRFC+kmwLJI86H5mEV3SQ9nmKYgNThhb2gA HHzpEzrRLBb07MeLkPabtmhN8G9Ar+cr0wu6HYU=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=memoryhole.net; b=cCJpS/pmk9LO9IhedQnSZJjWYHgU0KKKyG2XH/KZ7gfYUxR0surHWZGq2/MufeBEzj1q85JvS+77cb0LZDBS/F2jhZyS/M4uPo2vkknLcuakzgsFJjtl6iqJ6TZl1pJLqXIwARxMc/7ZYKfOcIs8AEjkCLCZu+nfcE2K3dlQULU=; h=Received:Received:Date:From:To:Subject:Message-ID:Mail-Followup-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:OpenPGP:User-Agent;
- In-reply-to: <20080624133016.GA598@xxxxxxxxxxxx>
- List-post: <mailto:mutt-users@mutt.org>
- List-unsubscribe: send mail to majordomo@mutt.org, body only "unsubscribe mutt-users"
- Mail-followup-to: mutt-users@xxxxxxxx
- Openpgp: id=CA8E235E; url=http://www.memoryhole.net/~kyle/kyle-pgp.asc; preference=signencrypt
- References: <20080624133016.GA598@xxxxxxxxxxxx>
- Sender: owner-mutt-users@xxxxxxxx
- User-agent: Mutt/1.5.18 (2008-06-02)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday, June 24 at 09:30 AM, quoth dv1445@xxxxxxxxx:
> I use mutt's IMAP to check my email, and mutt's built-in SMTP to
> point to my remote SMTP server (that is, I have set
> smtp_url=smtps://blah.com). I also have set smtp_pass, but I've
> discovered by accident that I can send mail even with smtp_pass
> commented out, and without mutt asking me to enter that password.
So can I! But that's because I put the password into the smtp_url.
> It *seemed* that somebody (mutt, or the smtp server) is determining
> the user name and password needed by the smtp server, by looking at
> what imap_user and imap_pass are.
Unlikely. More likely, your server has implemented IMAP-before-SMTP,
which means anyone from your IP address can send email via SMTP
without a username or password. It's not that it's figuring out what
your username and password are, it's that successful logins to your
IMAP server probably put your IP address on a whitelist that your SMTP
server uses. My server does the same thing... in part because some of
my users really didn't want to understand SMTP-AUTH or enter their
password into their email client more than once, and rather than roll
my eyes and sigh at them and try and argue that two different email
protocols are necessary and the ability to have different passwords
for each is absolutely necessary, I just implemented IMAP-before-SMTP.
The devil is in the details, and there are some drawbacks to this kind
of policy (which I can get into, but is probably offtopic of this
list), but it's a common-enough setup that I wouldn't be surprised if
your server does it.
> However, this can't be right, because if I leave imap_user in place,
> so that only smtp_pass and imap_pass are unset, I can send mail
> without being prompted for anything.
So... your IMAP server will let you log in without a password?
> I'm beginning to wonder if I'm really getting authenticated smtp
> service.
It's not authenticated (really) if you don't specify a user and
password for SMTP... but you could consider that authenticating via
IMAP authenticated you for SMTP as well. It's kinda all in how you
look at it.
~Kyle
- --
And thou shalt smite the house of Ahab thy master, that I may avenge
the blood of my servants the prophets, and the blood of all the
servants of the LORD, at the hand of Jezebel. For the whole house of
Ahab shall perish.
-- Bible, II Kings (9:7-8)
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!
iEYEARECAAYFAkhhE0AACgkQBkIOoMqOI14YBgCeKcsoio3g9aEdpBAzI4tDPL9q
gxUAoKokoJrB6EHJ6Ar2Pw0wv7Gt9ysv
=3yNA
-----END PGP SIGNATURE-----