Security risk of POP before SMTP

I received an email from one of our servers this morning (CentOS, with WHM running LAMP) stating:

The server has POP3 before SMTP enabled.

For security reasons, cPanel highly recommends that you disable this functionality.

I have done some searching but I can't see why cPanel is recommending this be disabled.

I am loathe to just go ahead and disabled this feature. Our clients haven't been instructed to access the SMTP server via POP before SMTP, but that doesn't mean that some enterprising IT guy working for a customer of ours hasn't configured their mail accounts to do so (it does require SMTP authentication, so someone might try to get around that with POP before SMTP).

What security reasons are cPanel warning me about?


Solution 1:

For starters, everyone behind a common NAT gateway will be authorized to send mail as the client that initiated the POP before SMTP, as it just means "IP x.x.x.x has sucessfully authorized, they may send mail now" and all clients behind the NAT will appear with the same IP.

Potentially, this might mean 1000s of completely random, unreleated users can use your SMTP server in case of modern carrier grade NAT networks, e.g. in cell phone networks.

This alone and the fact that every relevant mail client nowadays is able to do SMTP auth should be enough to convince you to turn it off.