--On March 14, 2005 10:43:00 +0000 "Alan J. Flavell"
<a.flavell@???> wrote:
> On Mon, 14 Mar 2005, Tony Finch wrote:
>
>> On Mon, 14 Mar 2005, Christopher Chaduka wrote:
>> >
>> > The reason for putting an IP or IPs there is for cases where you don't
>> > need some clients with fixed addresses to auth, e.g. your LAN
>>
>> You don't want to do that, because it exposes your users to
>> man-in-the-middle attacks. It is MUCH better to allow authentication
>> from everywhere, and tell your users to configure their software to
>> REQUIRE secure authentication.
>
> I can see your point, I think; but for desktop client machines that
> are firmly wired to the office LAN and never go off site, this hardly
> seems to be a consideration.
>
>> Many MUAs make it easy to configure this to be optional, which makes
>> users likely to have their outgoing email intercepted by an SMTP
>> proxy firewall, which can lead to incorrect email routeing and
>> possible rejection or loss of messages.
>
> If you have no control over the network to which the client attaches
> (e.g home or SOHO ISP connections), then that is all very true, and
> it's what we're now offering our users at the departmental level. But
> for fixed machines which are managed by the dept and wired to the dept
> network, we stayed with the old non-auth submission on port 25.
>
> There is still one problematic area with that, however. When users
> contrive to produce a mail which the server rejects (e.g they try to
> send a mail with its envelope-sender set to a defective address, or
> with broken header syntax etc.) then it seems some clients get very
> confused by the 5xx response from the server. In some cases, the user
> goes away believing their mail has been sent successfully, when in
> fact it has not. In other cases, the client host appears to treat the
> 5xx as a temporary failure, and keeps retrying the mail at 10-minute
> intervals for days on end, until we spot the problem.
>
> Would there be any improvement in this area if we were to move to
> using the client submission port(s) instead of the SMTP port 25 ?
Yes, definitely. You can configure Exim to accept all mail on port 587 -
PROVIDED you require authentication on that port. If you find that you
can't deliver the mail, then you can generate a bounce message instead of
rejecting it. Normally that's a bad idea, but if its an authenticated
sender, then you know who to send the bounce to.
Another advantage of requiring authenticated SMTP is that you reduce the
risk of a virus outbreak on your network. We're trying to move towards
requiring auth SMTP on campus, and we've already started to require it on
subnets that have had virus outbreaks.
--
Ian Eiloart
Servers Team
Sussex University ITS
