On 5/18/25 12:14 PM, Tom Beecher via NANOG wrote:
"I am FOO." = Identification
"This is proof I am FOO" = Authentication
Okay. I think that's a fair distinction.
Based on these meanings, I think that most contemporary MTAs use some
form of (weak) authenticated identity. The most common that I see is
reverse DNS with forward DNS confirmation. A less common form of
(client) authentication is username & password.
N.B. Only less common in that there are more MTA-to-MTA connections than
there are MUA-to-MTA connections. -- I'm eliding illegitimate
connections like credential stuffing attacks.
I haven't seen a properly configured Internet accessible MTA not do any
form of authentication in many years. More like multiple decades at
this point.
So I posit that Brent's "SMTP do not authenticate" statement is outdated
at best.
What is done with that authenticated identity is a down-stream and
independent of the authentication process itself.
- Maybe it's not used.
- Maybe it's only used for logging (Received: header and / or SYSLOG).
- Maybe it's used to alter the what the client is allowed to do.
--
Grant. . . .
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/HTGJVDAV7JMKZ27VABCRP5PBKBT4WQ3N/
