[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SMTP Kerberos support
On 11/2/11 1:57 PM, Hector Santos wrote:
Of course, the #1 reason it doesn't apply in an public port 25 SMTP
standard is because it can not be enforced. And I should note that
the discussions regarding 4yz policy based rejections w/o time hints,
to me, was understood to be only applicable to unauthenticated,
anonymous senders. Once a sender is known by any form of
authentication, policies such as greylisting or other sender filtering
methods should not be applied. I know there is the possibility of a
compromised user, but thats a different set of issues (and most
complex, costly considerations) in my opinion.
Authenticating outbound SMTP servers provides an effective enforcement
method for dealing with compromised systems. Ensuring certainty of a
requirement to mitigate compromised accounts makes this happen. A
preliminary authentication process providing a lead of many hours offers
a reasonable strategy to offer advanced notice when a problem requires
intervention. Often this only entails a reply that action will be taken.
To get an idea about how Kerberos might be deployed in wider
environments, see RFC6281. Duration of these tickets were set at 10
hours. Not exactly a difficult timing constraint. There could also be
servers acting in their stead to facilitate ticket retrial when clients
are within highly constrained environments.