Tony Finch wrote:
> On Fri, 3 Mar 2006, Clive McDowell wrote:
>
>> we have a problem with mail.app and also kmail. Our site only advertises
>> AUTH for IP addresses outside our domain for the reasons explained in the
>> Exim book. For some reason mail.app and kmail will only authenticate
>> correctly if AUTH is advertised. This happens over ports 25, 465 and 587.
>>
[...]
> It's much better to advertise AUTH to all clients, then clients can use
> the same configuration wherever they connect from. This makes them less
> vulnerable to attack and should make it easier to handle support queries.
>
As I understand MSA (on port 587) - whilst admitting I'm being too lazy
to go and carefully check the RFC right now - it would appear to me to
never be right to allow mail sending without authentication.
So I think you that on the MSA port you should always allow STARTTLS,
allow (advertise) AUTH as long as you are in TLS (alternatively allow
CRAM or DIGEST auth out of TLS mode), and (obviously for MSA) refuse all
mail sends without an authenticated sender.
Nigel.
