<<< Date Index >>>     <<< Thread Index >>>

Re: smtp_pass: why is it unneeded?



Thus spake Kyle Wheeler [06/24/08 @ 10.31.12 -0500]:
> On Tuesday, June 24 at 09:30 AM, quoth dv1445@xxxxxxxxx:
> > I use mutt's IMAP to check my email, and mutt's built-in SMTP to 
> > point to my remote SMTP server (that is, I have set 
> > smtp_url=smtps://blah.com).  I also have set smtp_pass, but I've 
> > discovered by accident that I can send mail even with smtp_pass 
> > commented out, and without mutt asking me to enter that password.
> >
> > It *seemed* that somebody (mutt, or the smtp server) is determining 
> > the user name and password needed by the smtp server, by looking at 
> > what imap_user and imap_pass are.
> 
> Unlikely. More likely, your server has implemented IMAP-before-SMTP, 
> which means anyone from your IP address can send email via SMTP 
> without a username or password. It's not that it's figuring out what 
> your username and password are, it's that successful logins to your 
> IMAP server probably put your IP address on a whitelist that your SMTP 
> server uses. My server does the same thing... in part because some of 
> my users really didn't want to understand SMTP-AUTH or enter their 
> password into their email client more than once, and rather than roll 
> my eyes and sigh at them and try and argue that two different email 
> protocols are necessary and the ability to have different passwords 
> for each is absolutely necessary, I just implemented IMAP-before-SMTP. 
> The devil is in the details, and there are some drawbacks to this kind 
> of policy (which I can get into, but is probably offtopic of this 
> list), but it's a common-enough setup that I wouldn't be surprised if 
> your server does it.

OK, good, I was hoping it was something like that.
 
> > However, this can't be right, because if I leave imap_user in place, 
> > so that only smtp_pass and imap_pass are unset, I can send mail 
> > without being prompted for anything.
> 
> So... your IMAP server will let you log in without a password?

No, but once I'm reading my mail, an "unset imap_pass" together with "unset 
smtp_pass" still allows me to send.  This lends some credence to your theory 
that by checking my mail I've unlocked an outer deadbolt and so my server 
thinks there's no need to lock my desk drawers as well.

> > I'm beginning to wonder if I'm really getting authenticated smtp 
> > service.
> 
> It's not authenticated (really) if you don't specify a user and 
> password for SMTP... but you could consider that authenticating via 
> IMAP authenticated you for SMTP as well. It's kinda all in how you 
> look at it.

Got it.  Thanks!
-g