ingress SMTP

David Champion dgc at
Thu Sep 4 09:31:11 CDT 2008

> > Well, that depends on MUA design, of course, but it's just been pointed
> > out to me that the RFC says MAY, not MUST.

(That was me.)

> Note that there are TWO relevant RFCs: RFC 4409 and RFC 5068. The latter
> says:
> 3.1.  Best Practices for Submission Operation

Thanks, Tony.  I hadn't taken account of superceding RFCs, and quoted
2476 to Jay.  2476 permits authN without encouraging or requiring it,
but 4409 both obsoletes 2476 and makes authN mandatory, so it's more
even than a best practice.  It's the law, to the extent that two sites
involved in a dispute may or may not consider RFC to be law.

But as I noted privately, sendmail for one enables MSP out of the box
without authentication -- or did the last few times I set it up --
so there's certainly a significant base of systems that at least are
running MSP on 587 without requiring authentication.  In such cases,
blocking ports is just whacking moles, whether you ticket and fine the
moles for violating RFC or not.

 -D.    dgc at    NSIT    University of Chicago

More information about the NANOG mailing list