Home page logo

nanog logo nanog mailing list archives

Re: Remote email access
From: "Jack Bates" <jbates () brightok net>
Date: Tue, 4 Feb 2003 09:16:04 -0600

From: "Daniel Senie"

The question this raises is whether you're concerned about MTA to MTA
communication, or MUA to MTA? I'd be happy to see certs in use for MTA-MTA
(and indeed support this today on my systems when talking to other MTAs
which are using STARTTLS). However, there are definitely reasons why this
would be a difficult requirement if made mandatory. Many embedded devices
use SMTP for alerting to trouble (example: the monitoring cards in UPSs).
Having a flag day for a switch to requiring certificates would be
unworkable in so many ways.

I'm concerned with MTA to MTA. I disagree with your embedded devices issue
as it is considered "trusted" or should be. I think that such devices should
also quit pretending to be an MTA and act like an MUA. A flag day is
necessary, and certification from MTA to MTA is necessary. The key is that
the certification should be for the company and not just the server, as well
as lookups for said company's certificates should be simplistic. When it
comes to mail, people are screaming that they have the right to accept and
refuse mail from anyone they want. The problem is that identifying a person
by their domain name which no longer has the strict requirements it once did
or by their IP address, which is often not kept accurate in SWIPS and Rwhois
databases nor managed with proper rdns or even kept static, is near
impractical. We talk about security on the Internet. Forget encryption for a
moment. We can't even keep track of identities so that we can say "I do not
accept email from entity X" and be done with it.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]