North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMTP authentication for broadband providers

  • From: Mark Foster
  • Date: Fri Feb 13 10:25:55 2004

On Fri, Feb 13, 2004 at 11:05:16AM +0000, [email protected] wrote:
> > To attack spam, we need to attack it at its core, not at some secondary 
> or
> > tertiary side-effect, with a mechanism that also hurt legitimate users.
> We, as network operators don't need to attack spam. We need
> to ignore spam itself and get to work securing the network
> that enables spammers to do their dirty work.
Much talk about using SMTP AUTH, but nothing about using STARTTLS?
Alone, SMTP AUTH is somewhat better, but requires that the passwords be stored
plain-text on the server (CRAM-MD5 or DIGEST-MD5), or that the password 
traverse the wire in plain-text (PLAIN or LOGIN). 

So by requiring STARTTLS for SMTP AUTH the transmission can be encrypted and 
the passwords on the server encrypted as well. 

Furthermore, if mail server admins step up and enable STARTTLS on their systems 
it opens up the possibilities of using certificate verification and PKI.

Some days it's just not worth chewing through the restraints...
Mark Foster <[email protected]>

Attachment: pgp00033.pgp
Description: PGP signature