Re: [exim] exim 4.4 authentication

On Mon, 14 Mar 2005, Tony Finch wrote:

> On Mon, 14 Mar 2005, Christopher Chaduka wrote:
> >
> > The reason for putting an IP or IPs there is for cases where you don't
> > need some clients with fixed addresses to auth, e.g. your LAN
>
> You don't want to do that, because it exposes your users to
> man-in-the-middle attacks. It is MUCH better to allow authentication
> from everywhere, and tell your users to configure their software to
> REQUIRE secure authentication.

I can see your point, I think; but for desktop client machines that
are firmly wired to the office LAN and never go off site, this hardly
seems to be a consideration.

> Many MUAs make it easy to configure this to be optional, which makes
> users likely to have their outgoing email intercepted by an SMTP
> proxy firewall, which can lead to incorrect email routeing and
> possible rejection or loss of messages.

If you have no control over the network to which the client attaches
(e.g home or SOHO ISP connections), then that is all very true, and
it's what we're now offering our users at the departmental level. But
for fixed machines which are managed by the dept and wired to the dept
network, we stayed with the old non-auth submission on port 25.

There is still one problematic area with that, however. When users
contrive to produce a mail which the server rejects (e.g they try to
send a mail with its envelope-sender set to a defective address, or
with broken header syntax etc.) then it seems some clients get very
confused by the 5xx response from the server. In some cases, the user
goes away believing their mail has been sent successfully, when in
fact it has not. In other cases, the client host appears to treat the
5xx as a temporary failure, and keeps retrying the mail at 10-minute
intervals for days on end, until we spot the problem.

Would there be any improvement in this area if we were to move to
using the client submission port(s) instead of the SMTP port 25 ?