docs/diploma
diff thesis/tex/4-MasqmailsFuture.tex @ 317:3b7680af0ebe
work in enc and auth
author | meillo@marmaro.de |
---|---|
date | Wed, 21 Jan 2009 17:26:18 +0100 |
parents | f3a86ce788ec |
children | 426ad56236ce |
line diff
1.1 --- a/thesis/tex/4-MasqmailsFuture.tex Wed Jan 21 15:19:25 2009 +0100 1.2 +++ b/thesis/tex/4-MasqmailsFuture.tex Wed Jan 21 17:26:18 2009 +0100 1.3 @@ -93,15 +93,16 @@ 1.4 1.5 1.6 \paragraph{\RF6: Authentication} 1.7 -One thing to avoid is being an \name{open relay}. Open relays allow to relay mail from everywhere to everywhere. This is a source of spam. The solution is restricting relay\footnote{Relaying is passing mail, that is not from and not for the own system, through it.} access. It may be also wanted to refuse all connections to the \MTA\ except ones from a specific set of hosts. 1.8 +\label{requirement-authentication} 1.9 +One thing to avoid is being an \name{open relay}. Open relays allow to relay mail from everywhere to everywhere. This is a source of spam. The solution is restricting relay\footnote{Relaying is passing mail, that is not from and not for the own system, through it.} access. It may also be wanted to refuse all connections to the \MTA\ except ones from a specific set of hosts. 1.10 1.11 -Several ways to restrict access are available. The most simple one is restriction by the \NAME{IP} address. No extra complexity is added this way, but the \NAME{IP} addresses have to be static or within known ranges. This approach is often used to allow relaying for local nets. The access check can be done by the \MTA\ or by a guard (e.g.\ \NAME{TCP} \name{Wrappers}) before. The main advantage here is the minimal setup and maintenance work needed. This kind of access restriction is important to be implemented. 1.12 +Several ways to restrict access are available. The most simple one is restriction by the \NAME{IP} address. No extra complexity is added this way but the \NAME{IP} addresses need to be static or within known ranges. This approach is often used to allow relaying for local nets. The access check can be done by the \MTA\ or by a guard (e.g.\ \NAME{TCP} \name{Wrappers}) before. The main advantage here is the minimal setup and maintenance work needed. This kind of access restriction is important to be implemented. 1.13 1.14 This authentication based on \NAME{IP} addresses is impossible in situations where hosts with changing \NAME{IP} addresses, that are not part of a known sub net, need access. Then a authentication mechanism based on some \emph{secret} is required. Three common approaches exist: 1.15 \begin{enumerate} 1.16 \item \SMTP-after-\NAME{POP}: Uses authentication on the \NAME{POP} protocol to permit incoming \SMTP\ connections for a limited time afterwards. The variant \SMTP-after-\NAME{IMAP} exists too. 1.17 \item \SMTP\ authentication: An extension to \SMTP. It allows to request authentication before mail is accepted. Here no helper protocols are needed. 1.18 - \item Certificates: The identity of a user or a host is confirmed by certificates that are signed by trusted authorities. Certificates are closely related to encryption, they do normally satisfy both needs: \NAME{SSL} tunnels encrypt the data transmission and allow to identify the remote user/host by his certificate. 1.19 + \item Certificates: The identity of a user or a host is confirmed by certificates that are signed by trusted authorities. Certificates are closely related to encryption, they do normally satisfy both needs---encrypt the data transmission and allow to identify the remote user/host by his certificate. 1.20 \end{enumerate} 1.21 At least one of the secret-based mechanisms should be supported. 1.22