SPF was->(Re: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail)
John Rudd
jrudd at UCSC.EDU
Thu Dec 18 16:00:30 GMT 2003
On Dec 17, 2003, at 11:08 PM, David Höhn wrote:
> As far as I can see this requires the use of SASL and SMTP AUTH. This
> is
> exactly where problems for very large ISP and even small time users
> start. In my humble opinion, even though I would like to see SMTP AUTH
> and SASL used more often, that is a cludge for mayn that are working at
> a huge ISP. First of all because I need to find a way to keep the SASL
> data synched over possibly 20 or more MailServer and I need to explain
> to every user how she/he can use SMTP-AUTH. Not to mention that some
> MUAs (no I am not looking at your MUAs Microso....) only support
> insecure authentication methods which I would not ever want to
> recommend
> to a roaming or even a remote user.
>
> While I find the idea interesting I simply think that this is the
> show-stopper. But them again, I would to be incorrect on this one.
For insecure authentication methods, provide SMTP+SSL, allowing the
authentication information to be protected by SSL if it's not being
protected by a secure SASL.
For password synchronization, use kerberos and multiple KDCs to
distribute the authentication load. Hopefully both via plain text
SMTP-AUTH (because there are too many MUAs that don't support kerberos)
and via GSSAPI-SASL for SMTP-AUTH (for good MUAs).
(here at UCSC, our new mail servers are using SMTP+SSL and plain text
SMTP-AUTH, that is checked against the user's kerberos password; the
MTA is CommuniGate Pro using an external authenticator that checks
against kerberos)
More information about the MailScanner
mailing list