Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!usc!snorkelwacker.mit.edu!paperboy!hsdndev!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Authenticated SMTP, anyone done one?
Message-ID: <17169:Jun1122:04:5791@kramden.acf.nyu.edu>
Date: 11 Jun 91 22:04:57 GMT
References: <1991Jun3.163841.4114@bwdls61.bnr.ca>
Organization: IR
Lines: 24

In article <1991Jun3.163841.4114@bwdls61.bnr.ca> mleech@bnr.ca (Marcus Leech) writes:
> Has anyone done an authenticated SMTP, and if so, is there an RFC in
>   existence that describes it?

RFC 931, the Authentication Server, provides enough additional security
to stop those pesky undergraduates from forging mail (at least without a
network machine of their own). You can get my implementation of RFC 931
for BSD machines in stealth.acf.nyu.edu:pub/hier/inet/rfc931/authd.3.01.
You can make sendmail (5.61, 5.65, possibly others) understand RFC 931
by applying sendmail-patches-djb, available from the same place; after
the patch, $F in an H line in sendmail.cf will print the remote user
name for any SMTP connection.

> I realize that this breaks the existing SMTP philosophy of allowing any
>   SMTP to connect to any other.  I'm thinking of corporate internets, rather
>   than "the INTERNET".

RFC 931 can be used over any part of the Internet. In fact, it's the
only working freely available wide-area TCP authentication code I know
of. If you do want to restrict access to the local net or to
authenticated connections, you can use my attachport (comp.sources.unix
volume 22) or shuctld (coming very soon to a source group near you).

---Dan