[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: POP/IMAP before SMTP
First, I'd like to tell you guys that I have a very very basic prototype
server working, i.e. it follows the specification. No API so far,
> > "LOGIN" <SP> <addr-spec> <SP> <user-identity> <CR> <LF>
> > "LOGOUT" <SP> <addr-spec> <SP> <user-identity> <CR> <LF>
> > <user-identity> field with preceding whitespace may be omitted from
> > either request.
> > The server shall, having accepted "LOGIN" request, remember the relation
> > between the <addr-spec> and the <user-identity> and may expire this
> > relation without "LOGOUT" request when the TTL for the entry expires.
> While you're at it, you might as well allow (optional) specification of a
> TTL in the LOGIN transaction. The server (client in this case) making the
> report probably has some notion of the typical lifetime of this particular
> sort of connection (whatever sort that is).
It could be useful in some cases, but having fixed ttl (or, for a change,
a few allowed fixed values) greatly simplifies expiration. And speeds up.
I'd prefer to keep things simple. But I'll think about it.
> Let me give you an example of how this can fail miserably: multi-user
> machines (yes, they still exist, though many people seem to forget that).
> If someone is visiting a university and uses a guest account on their large
> UNIX system (with, say, 30,000 users) to read their mail via IMAP, does
> that mean you want all 30,000 users to be able to bounce spam off of your
> SMTP server? Probably not.
That is what I thought about, and it does not bother me too much: what if
a multiuser machine gains SMTP access to my server for a few minutes?
It's highly unprobable that a spammer will start bombing my server right
at that moment.
> Another real-world example. Hotmail used to have (dunno if they still do)
> the ability to read remote mailboxes via POP. You probably wouldn't want
> to open your SMTP server up to all the spam-slime on Hotmail...
This is more dangerous than the previous example. Probably we will need
a way to tell the smtpserver to not trust certain addresses even if there
where POP connections from them.
Thanks for useful ideas.