> However, if administrator does turn on SMTP authentication, email
> client of internal users will anyway need to be set up to send in
> authentication information on every SMTP request.
We put in support years ago so that an administrator can setup trusted
subnets, removing the requirement for clients in those subnets to
authenticate. IP address and cryptographic data are the only reliable
tests. Nothing else in RFC 2821 and RFC 2822 is non-spoofable. SPF, for
example, comes down to eventual IP address checking, having determined the
list of IP addresses which a given domain has claimed are valid from it to
send.
If anyone wants to write some SPF code for JAMES, one way would be to base
it on creating and caching a netmatcher for each sender domain.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
