Originally posted by: bsobel
Verizon is even worse, you have to authenticate to their servers before being allowed to send mail, even when you are on their network. That seems excessive to me.
I'm of the school that all ISP should require authentication, helps in many situations know whom to blame if spam goes out.
I disagree, only on the basis that if the sending client's IP is on Verizon's network already, then they have the assigned IP, and can use that to track down the sender, since they are on their own network. Outside the network, sure, require authentication. But inside?
But requiring auth while already on the internal network, actually creates a security risk. There was a thread over on BBR about someone handling internet-access for a hotel, with a Verizon business DSL line, and they have had guests asking for the DSL line's username/password, in order to auth to be able to send outgoing e-mail. What a mess! (Obviously, I replied and told them that giving out the username/password is a very bad idea.)
Security is good, but when it starts to affect availability of services unnecessarily, one has to step back and ask if policies are being implemented correctly. In this case, I think that VZ's policy is a bit bone-headed. No other ISP does things this way.
(In short, why is VZ requiring double-auth from the users? Firstly with PPPoE/PPP to access VZ's network, and secondly to access services available on the internal network? Once should be enough.)
Originally posted by: bsobel
Verizon requires this today since they have hot spot services, but it goes away towards keeping home user machines that have zombies on them from spreading (althought I'm sure the zombies will start ferriting out the authent info), additionally it helps with customers with open wireless networks (drive by spamming actually does happen...)
I totally disagree with that. One, don't the users of the VZ WiFi hotspots still have to auth using PPPoE? (Have no idea, but since VZ is moving their entire DSL base to use it, and dial-up users already have to use PPP, and FIOS will be using PPPoE, then I am assuming that WiFi users will too, just to make the auth database orthagonal to the access services used.)
Second, how in the world can "zombies" spread via the SMTP port? That's really not a valid reason for requiring auth, while on their own network.
PS. Still curious if you think netcat would be a practical/workable solution to allowing the SMTP server to listen on multiple ports.