[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POP/IMAP before SMTP

First, I'd like to tell you guys that I have a very very basic prototype
server working, i.e. it follows the specification.  No API so far,
not today.

> >      "LOGIN" <SP> <addr-spec> <SP> <user-identity> <CR> <LF>
> >      "LOGOUT" <SP> <addr-spec> <SP> <user-identity> <CR> <LF>
> > 
> > <user-identity> field with preceding whitespace may be omitted from
> > either request.
> > 
> > The server shall, having accepted "LOGIN" request, remember the relation
> > between the <addr-spec> and the <user-identity> and may expire this
> > relation without "LOGOUT" request when the TTL for the entry expires.
> While you're at it, you might as well allow (optional) specification of a
> TTL in the LOGIN transaction.  The server (client in this case) making the
> report probably has some notion of the typical lifetime of this particular
> sort of connection (whatever sort that is).

It could be useful in some cases, but having fixed ttl (or, for a change,
a few allowed fixed values) greatly simplifies expiration.  And speeds up.
I'd prefer to keep things simple.  But I'll think about it.

> Let me give you an example of how this can fail miserably: multi-user
> machines (yes, they still exist, though many people seem to forget that).
> If someone is visiting a university and uses a guest account on their large
> UNIX system (with, say, 30,000 users) to read their mail via IMAP, does
> that mean you want all 30,000 users to be able to bounce spam off of your
> SMTP server?  Probably not.

That is what I thought about, and it does not bother me too much: what if
a multiuser machine gains SMTP access to my server for a few minutes?
It's highly unprobable that a spammer will start bombing my server right
at that moment.

> Another real-world example.  Hotmail used to have (dunno if they still do)
> the ability to read remote mailboxes via POP.  You probably wouldn't want
> to open your SMTP server up to all the spam-slime on Hotmail...

This is more dangerous than the previous example.  Probably we will need
a way to tell the smtpserver to not trust certain addresses even if there
where POP connections from them.

Thanks for useful ideas.