[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SMTP AUTH design-team meeting addendum

To: ietf-sasl@xxxxxxx
Subject: Re: SMTP AUTH design-team meeting addendum
From: Chris Newman <Chris.Newman@xxxxxxxxxxxx>
Date: Tue, 08 Sep 1998 11:31:50 -0700 (PDT)
In-reply-to: <>
Sender: owner-ietf-sasl@xxxxxxx

On Fri, 4 Sep 1998, John Gardiner Myers wrote:
> The SMTP AUTH spec should mention the principle that servers SHOULD NOT
> advertise the existence of mechanisms whose use provide no benefit to
> either client or server.  For example, consider a server which
> implements CRAM-MD5 authentication, and has the policy that clients
> connecting from certain networks have authorization which is not
> affected by authentication.  Since CRAM-MD5 does not implement a
> security layer, it does not itself provide a benefit to the client.  If
> the policy for a given client is such that CRAM-MD5 authentication does
> not affect the client's authorization, then the server should not
> advertise the CRAM-MD5 mechanism to that particular client.

I agree.  But this wording is a bit subtle.  Here's another try:

If an existing SMTP server is reconfigured or upgraded to advertise
authentication mechanisms, this is likely to cause new SMTP client UIs to
begin prompting users for their passwords.  As such a behavior change may
be undesirable at some sites, servers SHOULD NOT advertise client-only
authentication mechanisms, such as CRAM-MD5, unless they grant the client
additional delivery rights or services.
---

I wish we could include a non-normative appendix with the three primary 
usage scenairos for SMTP AUTH in combination with port 25.  But I think
this is better deferred for an applicability statement produced after SMTP
Submit and the revised SMTP specs are published:

An SMTP server on port 25 allows delivery to local users without
authentication, but requires SMTP AUTH to relay mail to non-local users.

An SMTP server on port 25 allows delivery to local users without
authentication, but requires either SMTP AUTH or access from a trusted
subnet to relay mail to non-local users. 

An SMTP server on port 25 is used only for delivery to local users, does
not advertise SMTP AUTH and does not relay mail to non-local users.  A
separate SMTP server on a different port or different machine is used to
"submit" mail and requires the use of SMTP AUTH. 

		- Chris

Follow-Ups:
- Re: SMTP AUTH design-team meeting addendum
  - From: Alexey Melnikov
- Re: SMTP AUTH design-team meeting addendum
  - From: John Gardiner Myers
- Re: SMTP AUTH design-team meeting addendum
  - From: Ned Freed
- Re: SMTP AUTH design-team meeting addendum
  - From: Randall Gellens

References:
- SMTP AUTH design-team meeting addendum
  - From: John Gardiner Myers

Prev by Date: SMTP AUTH design-team meeting addendum
Next by Date: Re: SMTP AUTH design-team meeting addendum
Previous by thread: SMTP AUTH design-team meeting addendum
Next by thread: Re: SMTP AUTH design-team meeting addendum
Index(es):
- Date
- Thread