[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Connectivity Issues for a ODMR Server



I know that this is months too late for the Final Call (and the RFC has already been published) but I just found out about it and had some thoughts that I would have raised at Final Call time so here goes anyway (for any good it can do if there is any attempt to revise the RFC).

----------------------------------------------------------------------


<RANT>


Recently I have seen RFCs and other suggestions that under the guise of trying to control SPAM and/or BLOCK RELAYING suggest that ISPs enact procedures that amount to denying their users access to the services that the user has paid and contracting for. In particular is the blocking of access to the SMTP Port (so a user can not send EMAIL) when the user is currently attempting to establish the connection from a location that is not on the ISP's WAN (ie: not from a Dial-Up Gateway port or a Direct Connection to the ISP's Network). IMO, the ISP should provide some means to accept a connection from such users no matter where their current connection is established. The restrictions in section 8 of the RFC, again IMO, amount to more of the same approval of denial of service on the part of the ISP based ONLY on where the user is connecting from.

</RANT>

Now that THAT is off my chest <g>, I will comment and explain my reasoning on this issue.

If someone attempts to connect to a POP Server and provides a valid USERID and PASSWORD they are permitted to download all Email in the mailbox that is owned by that UserID (ie: Knowledge of the UserID/Password combination is regarded as adequate "proof of identity" to permit this process).

An ESMTP Server (connected per section 8) to ISPa's Network who in response to the AUTH challenge prompt from ISPa's ODMR Server provides the correct response, will be allowed to ATRN the connection and receive queued EMAIL (ie: In this case, again the correct response is regarded as adequate "proof of identity" to permit the process to occur).

I see no reason why the ODMR process should be more restrictive than the POP Process - especially since the POP Process allows plain text passwords and does not require a secure challenge/response like Kerberos or APOP [what are optional for POP Logon] while ODMR requires the use of AUTH [which is a secure transmission of the password].