Marc Perkel wrote:
Magnus Holmgren wrote:
On Wednesday 02 August 2006 14:37, Marc Perkel took the opportunity to say:
Why not just eliminate the SMTP protocol for end users and keep SMTP as
a server to server protocol and have users send theit email to the
server by extending POP/IMAP to send email. It created an authenticated
connection back to the server where the POP/IMAP server hands it off to
the SMTP server. That way email clients aren't using the same protocol
as email servers.
Why? It's not, like, that MUAs try to deliver directly to the recipient MX. If
all ISPs block port 25 outbound, it doesn't matter what protocol end users
use to submit their mail to their local MTA. Otherwise, zombies can still try
to connect directly, and you'll have to rely on DUL and other blacklists to
figure out which IP addresses belong to end users.
The zombies wouldn't be able to connect because the zombies wouldn't
have the IMAP password.
I think part of the problem is that the receiving SMTP server can't tell
if email is coming from another SMTP server or a virus infected spam
zombie.
Yes, but that problem isn't solved by using a different protocol to submit
mail. How are you going to enforce it, without also blocking port 25
outbound? That, or a global whitelist, is the necessary and sufficient
condition for stopping direct zombie connections.
If you use IMAP for your outgoing email from the client you no longer
need port 25 except for server to server transfers. The only outgoing
path is the IMAP connection which requires authentication. Zombies
wouldn't have the password and wouldn't have access to any way to send
email.
And this differs from SMTP AUTH in what way?
ISP: *Blocks pt 25 outbound. *Requires all of its users to AUTH sending
through its servers.
I see using IMAP as a bad reason to stop spam. Think of this.
The normal user knows to get their mail from mail.isp.com and send mail
to mail.isp.com (SMTP,POP respectively.) All email clients I've ever
seen are setup to delete messages off the server when they have
downloaded them by default (POP3.)
POP3/SMTP AUTH
Mail storage for ISP? Say 100MB. (ISP's don't allocate this my the
number of users, they know that they won't be storing that much mail for
that long.) Help desk calls because of over limit? Very few.
IMAP/IMAP SEND
Mail storage for ISP? Say 100MB. (ISP WILL HAVE TO allocate this much
for every user, say you have 40K users... you can see how expensive this
will become.) Help desk calls because of over limit? Quite a few because
the email client will just keep the messages on the server.
I'd be surprised if you'd convince a broad range of ISP's to implement
IMAP for all their users...
ISP's complain about network infrastructure upgrades, what do you think
will happen when their server farm will have to grow by 10000X for
storage? They'll just laugh. Now if you are a small time ISP, and have
deep pockets, sure implement this strategy. But I'm very doubtful they
will. I know I won't. I block locally all outbound and inbound port 25
(except where needed.) I work for a private company and can do this. By
not blocking on even a corp LAN, you are exposing yourself to possible
infections by users setting up their MUA to get mail from their ISP's
server... I may be thought of as a Mail Nazi, but I also can say with
100% assurance, our network here will not spread a virus or spam.
Everything scanned, everything checked, what isn't is blocked.
--
Thanks,
James
