As I understand it, by default, an SMTP server does not have accounts associated with it, and that unless it is set up specifically to use accounts, there is no authentication to be made. Is this a big deal for an SMTP server to have a POP account associated with it? If so, then shouldn't the authentication be left up to the IT admin to authenticate the IP address from which the e-mail is coming?
I guess I would also question why you are using associated POP3 mailboxes for authentication instead of a security principal like a user account. For example, the Exchange 5.5 IMC supports NTLM authentication, enabling you to authenticate SMTP users by using their domain account and password.
I would have your developers look over the RFCs that cover SMTP, and look into how the AUTH extension (command verb) is used. It?s a lot easier for you if you leave it up to the IT Admin to configure their SMTP Server for authentication, or for that matter, relaying.
Are you also using SSL or some other form of encryption with your authentication mechanism? If not, your attempts at security will fail because the credentials are sniffable on the wire. Moreover, if you?re trying to force authentication to stop people from spamming (e.g., relaying), then you may be overlooking the situation where a spammer gets a hold of a POP3 account that can send whatever it wants through the mail server.
This was first published in March 2002