On Sun, 9 Aug 2009 12:12:32 +0200, RoMan Mandziejewicz
<r...@p...pl> wrote:

> Musi adresowane od lub do użytkownika tego serwera. Nie musi obcych.

A kto Cię tak okłamał?

--8<--

4.3. Require Authentication


The MSA MUST by default issue an error response to the MAIL command
if the session has not been authenticated using [SMTP-AUTH], unless
it has already independently established authentication or
authorization (such as being within a protected subnetwork).

Section 3.3 discusses authentication mechanisms.

--8<--

--8<--

3.3. Authorized Submission


Numerous methods have been used to ensure that only authorized users
are able to submit messages. These methods include authenticated
SMTP, IP address restrictions, secure IP and other tunnels, and prior
POP authentication.

Authenticated SMTP [SMTP-AUTH] has seen widespread deployment. It
allows the MSA to determine an authorization identity for the message
submission, one that is not tied to other protocols.

IP address restrictions are very widely implemented, but do not allow
for travelers and similar situations, and can be easily spoofed
unless all transport paths between the MUA and MSA are trustworthy.






Gellens & Klensin Standards Track [Page 6]


RFC 4409 Message Submission for Mail April 2006


Secure IP [IPSEC], and other encrypted and authenticated tunneling
techniques, can also be used and provide additional benefits of
protection against eavesdropping and traffic analysis.

Requiring a POP [POP3] authentication (from the same IP address)
within some amount of time (e.g., 20 minutes) prior to the start of a
message submission session has also been used, but this does impose
restrictions on clients as well as servers, which may cause
difficulties. Specifically, the client must do a POP authentication
before an SMTP submission session, and not all clients are capable
and configured for this. Also, the MSA must coordinate with the POP
server, which may be difficult. There is also a window during which
an unauthorized user can submit messages and appear to be a
previously authorized user. Since it is dependent on the MUA's IP
addresses, this technique is substantially as subject to IP address
spoofing as validation based on known IP addresses alone (see above).

--8<--

> Problemem nie jest nadawanie na porcie 25 ale pootwierane serwery,
> niepilnujące co i od kogo odbierają. I zmiana portów nic tu nie
> zmieni.

A jak mają pilnować co i od kogo odbierają [1], skoro głównym
założeniem MTA jest przyjmowanie poczty do lokalnych
użytkowników?

r.

[1] -- tak, są mechanizmy filtrowania. Tak, nie zawsze są
skuteczne i zużywaja zasoby odbiorcy.
--
____________________________________________________
_____________
robert rędziak mailto:giekao-at-gmail-dot-com

I hope they don't fart at Greenpeace. That's bad for Gaia.