<<< Date Index >>>     <<< Thread Index >>>

Re: smtp_pass: why is it unneeded?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, June 25 at 07:42 PM, quoth Michelle Konzack:
> Am 2008-06-24 10:31:12, schrieb Kyle Wheeler:
>> Unlikely. More likely, your server has implemented IMAP-before-SMTP, 
>> which means anyone from your IP address can send email via SMTP 
>> without a username or password. It's not that it's figuring out what 
>> your username and password are, it's that successful logins to your 
>> IMAP server probably put your IP address on a whitelist that your SMTP 
>> server uses.
>
> Does this work only with Linux Clients or under Windows too?

If your server uses this technique, it doesn't matter what OS or 
software the client is using.

> Hmmm, there are inteligent Viriis and Trojans which use the SMTP  
> relay of ones provider...  and if he/she connect successfuly  to  
> IMAP, the Viriis or Trojans can spam the world "legaly"...

Indeed. But then, if they can authenticate to your ISP via IMAP, 
there's little reason to think that they can't also authenticate to 
your ISP via SMTP (it's usually the same username and password, and 
the same server even).

>> for each is absolutely necessary, I just implemented 
>> IMAP-before-SMTP. The devil is in the details, and there are some 
>> drawbacks to this kind of policy (which I can get into, but is 
>> probably offtopic of this list), but it's a common-enough setup 
>> that I wouldn't be surprised if your server does it.
>
> The thing above?

... I'm afraid I don't understand what you're asking. As a guess... 
yes, the "it" in the phrase "if your server does it" is referring to 
IMAP-before-SMTP.

~Kyle
- -- 
Idealism increases in direct proportion to one's distance from the 
problem.
                                                     -- John Galsworthy
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iEYEARECAAYFAkhlJ74ACgkQBkIOoMqOI16MgACcDCUY/4zu0jB18FFnaLCCKu15
NfwAoOxlP20zxrigogXqieFfkjcODkyT
=XQLD
-----END PGP SIGNATURE-----