[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POP/IMAP before SMTP



On Tue, 28 Apr 1998, Eugene Crosser wrote:
> 	"LOGIN" <SP> <addr-spec> <SP> <user-identity> <CR> <LF>
> 	"LOGOUT" <SP> <addr-spec> <SP> <user-identity> <CR> <LF>
> 
> <user-identity> field with preceding whitespace may be omitted from
> either request.
> 
> The server shall, having accepted "LOGIN" request, remember the relation
> between the <addr-spec> and the <user-identity> and may expire this
> relation without "LOGOUT" request when the TTL for the entry expires.

While you're at it, you might as well allow (optional) specification of a
TTL in the LOGIN transaction.  The server (client in this case) making the
report probably has some notion of the typical lifetime of this particular
sort of connection (whatever sort that is).

Not that I'm sure I see the validity of this approach in the first place
(since it's really a double inference)... though I do find it an interesting
notion/discussion.

Let me give you an example of how this can fail miserably: multi-user
machines (yes, they still exist, though many people seem to forget that).
If someone is visiting a university and uses a guest account on their large
UNIX system (with, say, 30,000 users) to read their mail via IMAP, does that
mean you want all 30,000 users to be able to bounce spam off of your SMTP
server?  Probably not.

Another real-world example.  Hotmail used to have (dunno if they still do)
the ability to read remote mailboxes via POP.  You probably wouldn't want to
open your SMTP server up to all the spam-slime on Hotmail...

The moral of the story is that you cannot assume a one-to-one correlation
between users and IP addresses.

-Andy

Global Auctions
http://www.globalauctions.com