Path: utzoo!yunexus!davecb
From: davecb@yunexus.UUCP (David Collier-Brown)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Host requirements and SMTP
Message-ID: <6295@yunexus.UUCP>
Date: 5 Jan 90 17:11:35 GMT
Article-I.D.: yunexus.6295
References: <24861.631484091@cs.nott.ac.uk>
Organization: York U. Computing Services
Lines: 38

j.onions@computer-science.nottingham.ac.UK (Julian Onions) writes:
>Section 5.2.5
>The discussion about resolution of the HELO parameter is not that
>essential anyway, to my mind what is more important is that you can
>discover where the SMTP connection is coming from.

	Well, one of them comes from my CP/M-80 machine via a terminal
	server... If I wanted to pay thge long distance costs, they could
	come from "dial smtp" on a Multics box, etc, etc.

	And if you do happen to be using IP, your name may not
	be registered yet.

>	a) you don't know who is sending you the message really, so
>	your chances of getting it back are limited if things blow up.

	I have to agree with this: without a previous agreement at
	the human level the mailer using smtp won't know to queue
	the mail for me and will simply refuse it.

>	b) You don't know who is really sending the message - from a
>	security point of view. IP addresses can be forged but this is
>	better than nothing - certainly better than implicitly
>	believing the HELO.
>Therefore I would argue all the authentication should have been done
>before it gets to the HELO stage. A future HR should perhaps note that
>you should attempt to discover where the message is coming from.

	And we clearly need an authentication mechanism, for which
	the HELO construct is the normal hook (ie, its included even
	though not strictly necessary: guess jon was thinking ahead (:-))

--dave
-- 
David Collier-Brown,  | davecb@yunexus, ...!yunexus!davecb or
72 Abitibi Ave.,      | {toronto area...}lethe!dave 
Willowdale, Ontario,  | Joyce C-B:
CANADA. 416-223-8968  |    He's so smart he's dumb.