kevins@dartvax.UUCP (Kevin M. Schofield) (07/30/87)
>>queuefiles, looking at the envelope of each letter and determine which ones go >>to the host on the other end of the SMTP connection. > >The reason there is no TURN command is much more fundamental. How do you >verify the identity of the "calling" entity reliably enough to believe you >are giving the mail to the right entity? > >True, the security is marginally better when you are doing the "calling" Now wait a minute. If we're using SMTP in the first place, aren't we assuming that there is some form of controlled access to the SMTP server? Like an ethernet where all the hosts are known? If we can't guarantee that, we have even bigger security problems than reading someone else's mail. We've got people sending all sorts of unverified messages. Yeah yeah, I know, SMTP isn't secure. After all, anyone can invoke sendmail with the -bs flag, and voila! have their own smtp server. Or even better, open up a stream socket and connect to the SMTP server on any host. But getting back to the TURN command, if we're disallowing TURN's because SMTP isn't secure, we should disallow SMTP in general because it isn't secure. I guess this all boils down to the fact that SMTP's biggest problem is its lack of security. Cheers, -Kevin
kre@munnari.oz (Robert Elz) (08/05/87)
In article <6794@dartvax.UUCP>, kevins@dartvax.UUCP (Kevin M. Schofield) writes: > Now wait a minute. If we're using SMTP in the first place, aren't we assuming > that there is some form of controlled access to the SMTP server? Like an > ethernet where all the hosts are known? If we can't guarantee that, we have > even bigger security problems than reading someone else's mail. We've got > people sending all sorts of unverified messages. No, that's a much smaller problem, as the problem with TURN isn't reading someone else's mail, its purloining it .. when the imposter gets his copy the real recipient loses it forever. The same situation applies with paper mail (snail mail). I can mail a letter and sign it Ronald Reagan if I feel like it (it might be against the law, or it might not, but that's immaterial here). But the post office won't hand over mail to be if I role up and say "Hi, I'm from the White House, give me all you've got"... kre