Auteur: Tor Slettnes Date: À: Alan J. Flavell CC: Exim users list Sujet: Re: [exim] ignore spam scanning of outgoing mail
Alan J. Flavell wrote:
>>On Wed, 2004-10-27 at 09:17 -0700, Tor Slettnes wrote:
>>
>>
>>>Couldn't you have them always authenticate, even when within your
>>>premises?
>>>
>>>
>In mitigation, I think I'd say that the original motive when
>authenticated submission was introduced here, had been to maintain
>minimal complexity (unsecured unauthenticated mail submission) for the
>on-campus majority, while offering an additional facility (requiring
>them to authenticate over a secure path) for an off-campus minority
>who would be willing to learn a new trick.
>
>
No contradiction there. Those with laptops have to learn the new
trick; but the trick would be applicable whether they were off- or
on-campus. Users that are always on campus don't need to authenticate.
>Since the sysadmins wouldn't touch some of the mail clients that they
>use, not even with an extremely long barge-pole, we really don't want
>the hassle of being expected to tell them which checkboxes to check,
>and how to cope with the fact that their client handles TLS in
>non-standard ways, and what to do about their root server
>certificates, and all that stuff that's liable to come up in practice.
>
> Sure, TLS is a can of worms. However, you may still allow (secure, e.g.
MD5 or Kerberos) authentication without TLS/SSL. That way, there is no
certificate issues, issues with no "STARTTLS" command given for SSL
transactions on ports other than 25, or for that matter, issues with
port numbers in the first place.
It is also much simpler to explain to users:
"Our outgoing (STMP) mail server requires MD5 authentication; use the
same username/password as for POP3/IMAP access".
Alternatively, you could always use one of the various (albeit inferior)
SMTP-after-POP schemes, such as DRAC.