Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smtp auth (was Re: the importance of security)

From: Dewitt Latimer <dewitt () ND EDU>
Date: Mon, 16 Aug 2004 16:39:13 -0500
yes...there are/were some issues with early version of Eudora (pre v5), but
we have not experienced any problems with mainstream MUA's that are within
12-18 months old of release.

As a side note, it doesn't really make sense to implement SMTPAuth without
also implementing SSL.  Otherwise, you're just sending another instance of
the password in the clear.  We have SSL'ed both SMTP, IMAP, and POP for
ResNet (mandatory).  The settings are optional for faculty/staff with a good
many people moving towards it on their own.  It will be mandatory later this
fall when a couple of colleges get caught up with their workload and can
update some faculty MUAs.

-d


----- Original Message -----
From: "Matthew Keller" <kellermg () POTSDAM EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Monday, August 16, 2004 2:51 PM
Subject: Re: [SECURITY] smtp auth (was Re: [SECURITY] the importance of
security)



Proceed with caution: SMTP Auth is not widely supported by MUA's and a
lot of MUA's that support "authenticated SMTP" may support slightly
different versions of "it" then what you implement. The is no
one-size-fits all "SMTP Auth" solution with universal (or even
near-universal) MUA support.



http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=%22smtp+auth%22&btnG=Search


On Mon, 2004-08-16 at 14:35, Kevin Shalla wrote:

I'm unfamiliar with smtp auth.  Does this mean that when the user tries

to

send an email message that they are required to authenticate, and can

only

send messages with a "from" address of that username to which they just
authenticated?  If so, this could make email a fairly secure
intra-university means of communication, correct?  Does anyone have a

link

to beginner's background reading on this?

At 12:05 PM 8/11/2004, Gary Flynn wrote:

Jere Retzer wrote:


The first two items seem mainly intended to ensure that your school is

a

good network citizen so I can understand a management temptation to

ask

"what is the benefit to us?" Is that the problem?

Does anyone have data to help frame these particular policies in terms
of general acceptance? Are most schools now doing this or are there
pressures from the government of ISPs?


We implemented SMTP auth and port 25 blocks a couple
years ago.


**********
Participation and subscription information for this EDUCAUSE Discussion

Group discussion list can be found at http://www.educause.edu/cg/.

--
Matthew Keller
signat-url: http://mattwork.potsdam.edu/signat-url/
"No one ever says, 'I can't read that ASCII E-mail you sent me.'"

**********
Participation and subscription information for this EDUCAUSE Discussion

Group discussion list can be found at http://www.educause.edu/cg/.




**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: