Hi Scott. I'm not sure if you can help me with this one or not: I am the manager of a software support department and I have a question about the use of SMTP for sending e-mail. Our software automates the sending of e-mail over SMTP, however in our own configuration, we require that a POP account be entered for authentication. Many of our customers wonder why we require this, and the answer is so that our software cannot be used for spamming. This makes sense to me, but it does not to most IT admins with which we speak.
As I understand it, by default, an SMTP server does not have accounts associated with it, and that unless it is set up specifically to use accounts, there is no authentication to be made. Is this a big deal for an SMTP server to have a POP account associated with it? If so, then shouldn't the authentication be left up to the IT admin to authenticate the IP address from which the e-mail is coming?
Generally speaking, SMTP Servers that support the AUTH extension have their own authentication mechanism and don't use POP3 mailboxes for authenticating users. For one thing, SMTP and POP3 are completely independent of one another both as type of mail transport servers and as protocols.
I guess I would also question why you are using associated POP3 mailboxes for authentication instead of a security principal like a user account. For example, the Exchange 5.5 IMC supports NTLM authentication, enabling you to authenticate SMTP users by using their domain account and password.
I would have your developers look over the RFCs that cover SMTP, and look into how the AUTH extension (command verb) is used. It?s a lot easier for you if you leave it up to the IT Admin to configure their SMTP Server for authentication, or for that matter, relaying.
Are you also using SSL or some other form of encryption with your authentication mechanism? If not, your attempts at security will fail because the credentials are sniffable on the wire. Moreover, if you?re trying to force authentication to stop people from spamming (e.g., relaying), then you may be overlooking the situation where a spammer gets a hold of a POP3 account that can send whatever it wants through the mail server.