Re: IMF vs SmtpMail

From: Nick Malik [Microsoft] (nickmalik_at_hotmail.nospam.com)
Date: 02/28/05

• Next message: DalePres: "Re: Customising a windows close buttons and title bar"
• Previous message: Alvin Bruney [Microsoft MVP]: "Re: Using ImpersonateLoggedOnUser"
• Next in thread: Kal: "Re: IMF vs SmtpMail"
• Reply: Kal: "Re: IMF vs SmtpMail"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sun, 27 Feb 2005 17:01:26 -0800

Hi Kal,

If someone can get your passwords from the app pool, they aren't using
Exchange to crack your passwords. They'd need access to the physical
servers. (Hope you have a few locked doors :-). The credentials are
already in the app pool. By using anonymous e-mail, your app is simply
ignoring the credentials available to it.

Anonymous access gives your internal applications the ability to send e-mail
with two lines less of code. However, the receiving e-mail client may
decide that the message came from an external spammer, because the e-mail
"from" address is not verified. Outlook 2003 will frequently consider these
messages to be Junk Mail and move them out of the recipient's In Box. If
you want your messages to always get to the reader, Authenticate.

In my personal opinion, all anonymous access to e-mail should be completely
banned as the first step in a long process of killing off the sourge of
unsolicited e-mail.

If you want to make an argument, based on security, for using anonymous
e-mail, I'd suggest strongly that spam fighting is a far greater benefit to
your organization than the minor code inconvenience (with zero security
impact) of using authenticate e-mail.

If you want to debate the merits of anonymous vs authenticated e-mail, and
the security implications thereof, I'd suggest that you post a query on one
of the exchange or security groups.

-- 
--- Nick Malik [Microsoft]
    MCSD, CFPS, Certified Scrummaster
    http://blogs.msdn.com/nickmalik
Disclaimer: Opinions expressed in this forum are my own, and not 
representative of my employer.
   I do not answer questions on behalf of my employer.  I'm just a 
programmer helping programmers.
--
"Kal" <kal@newsgroup.nospam> wrote in message 
news:OlXdAbOHFHA.2616@tk2msftngp13.phx.gbl...
> Nick,
> If you allow relay for the internal network you can use anonymous and no 
> userid or password. If you allow only anonymous no one can use exchange to 
> crack your passwords because authentication is simply not being done.
> Kal
>
> "Nick Malik [Microsoft]" <nickmalik@hotmail.nospam.com> wrote in message 
> news:MbGdnfKUFd7VoYLfRVn-gQ@comcast.com...
>> Hello Kal,
>>
>>> I do not allow authentication as a compromised password will allow 
>>> spammers access.
>>
>> If you use windows authentication, you do not have to put the userid or 
>> password into the code.  The Userid and Password are simply derived from 
>> the app pool account you have already set up.
>>
>> -- 
>> --- Nick Malik [Microsoft]
>>    MCSD, CFPS, Certified Scrummaster
>>    http://blogs.msdn.com/nickmalik
>>
>> Disclaimer: Opinions expressed in this forum are my own, and not 
>> representative of my employer.
>>   I do not answer questions on behalf of my employer.  I'm just a 
>> programmer helping programmers.
>> --
>>>
>>
>>
>
> 

---

• Next message: DalePres: "Re: Customising a windows close buttons and title bar"
• Previous message: Alvin Bruney [Microsoft MVP]: "Re: Using ImpersonateLoggedOnUser"
• Next in thread: Kal: "Re: IMF vs SmtpMail"
• Reply: Kal: "Re: IMF vs SmtpMail"
• Messages sorted by: [ date ] [ thread ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)