Well, that depends on MUA design, of course, but it's just been pointed out to me that the RFC says MAY, not MUST.
(That was me.)
Note that there are TWO relevant RFCs: RFC 4409 and RFC 5068. The latter says:
3.1. Best Practices for Submission Operation
Thanks, Tony. I hadn't taken account of superceding RFCs, and quoted 2476 to Jay. 2476 permits authN without encouraging or requiring it, but 4409 both obsoletes 2476 and makes authN mandatory, so it's more even than a best practice. It's the law, to the extent that two sites involved in a dispute may or may not consider RFC to be law. But as I noted privately, sendmail for one enables MSP out of the box without authentication -- or did the last few times I set it up -- so there's certainly a significant base of systems that at least are running MSP on 587 without requiring authentication. In such cases, blocking ports is just whacking moles, whether you ticket and fine the moles for violating RFC or not. -- -D. dgc@uchicago.edu NSIT University of Chicago