[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tmda: Challenge-response is fundamentally broken

* Mark Brown

 > You do realise that all parts of SMTP are generally completely
 > unauthenticated and can be trivially forged?

  Yes.  It's indeed very sad that it is so.

  However, my main issue still remains -- the difference (for the user)
 between

     «I'm installing this package and accept that my correspondents
     must jump through a few hoops to get in touch with me»

  and

     «I'm installing this package and accept that my correspondends must
     jump through a few hoops to get in touch with me -and- that it is
     overwhelmingly likely that I will send unsolicited junk mail to third
     parties so that they will have to deal with the problem instead of
     myself»

  is, in my opinion, vast.

  If TMDA warned the user that it'll take the latter approach, I'd
 probably be happy with that.   (It would have been even better if
 there were some tutorial included, that could give a crash course
 in how to make TMDA -not- send challenges to e-mail SpamAssassin and/or
 ClamAV classified as junk mail.)

-- 
Tore Anderson
Reply to: