On 5/18/25 12:14 PM, Tom Beecher via NANOG wrote:
"I am FOO." = Identification
"This is proof I am FOO" = Authentication
Okay. I think that's a fair distinction. Based on these meanings, I think that most contemporary MTAs use some form of (weak) authenticated identity. The most common that I see is reverse DNS with forward DNS confirmation. A less common form of (client) authentication is username & password. N.B. Only less common in that there are more MTA-to-MTA connections than there are MUA-to-MTA connections. -- I'm eliding illegitimate connections like credential stuffing attacks. I haven't seen a properly configured Internet accessible MTA not do any form of authentication in many years. More like multiple decades at this point. So I posit that Brent's "SMTP do not authenticate" statement is outdated at best. What is done with that authenticated identity is a down-stream and independent of the authentication process itself. - Maybe it's not used. - Maybe it's only used for logging (Received: header and / or SYSLOG). - Maybe it's used to alter the what the client is allowed to do. -- Grant. . . .