Received: from localhost (daemon@localhost) by CS.UTK.EDU with SMTP (cf v2.9s-UTK) id PAA08312; Tue, 23 Sep 1997 15:47:00 -0400 (EDT) Received: by CS.UTK.EDU (bulk_mailer v1.7); Tue, 23 Sep 1997 15:46:21 -0400 Received: by CS.UTK.EDU (cf v2.9s-UTK) id PAA08236; Tue, 23 Sep 1997 15:46:20 -0400 (EDT) Received: from doggate.exchange.microsoft.com (doggate.microsoft.com [131.107.2.63]) by CS.UTK.EDU with SMTP (cf v2.9s-UTK) id PAA08209; Tue, 23 Sep 1997 15:45:57 -0400 (EDT) Received: from popdog.exchange.microsoft.com (POPDOG [192.168.90.33]) by doggate.exchange.microsoft.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1918.0) id TGDLRJT3; Tue, 23 Sep 1997 12:49:21 -0700 Received: from cassatt (CASSATT.dns.microsoft.com [157.55.232.171]) by popdog.exchange.microsoft.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1918.0) id TCBYP9Q4; Tue, 23 Sep 1997 12:49:14 -0700 From: "Jeff Stephenson" To: Cc: Subject: Re: TURN and disconnected SMTP with dynamic IP addresses Date: Tue, 23 Sep 1997 12:45:39 -0700 Message-ID: <01bcc859$453e5a10$abe8379d@cassatt.cassatt.dns.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 -----Original Message----- From: Perry E. Metzger To: Jeff Stephenson Cc: drums@cs.utk.edu Date: Tuesday, September 23, 1997 9:55 AM Subject: Re: TURN and disconnected SMTP with dynamic IP addresses >I'm very serious here. If anyone tries reviving TURN for this purpose >until AFTER we have a deployed security mechanism -- note *deployed* >-- I will personally recruit security geeks to fill this mailing list >with flames until the point gets driven home. Instead of that, why don't we all try and work as a community to come up with a solution to a very immediate real-world problem? >Spoofing is trivial. To do, yes. >Stealing someone's mail is not. Exactly, which is why TURN must not be honored unless the client's identity has been established. A SASL based AUTH mechanism can do so. >Spoofing is also solvable in protocols that are deployed and running today. I'm not aware of any way of preventing it in SMTP.