Re: [apps-discuss] [EAI] RFC5336 and VRFY/EXPN (was: Re: apps-team review of draft-ietf-eai-rfc5336bis)

John C Klensin <klensin@jck.com> Mon, 27 December 2010 18:47 UTC

Return-Path: <klensin@jck.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10A2B3A67B4; Mon, 27 Dec 2010 10:47:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.514
X-Spam-Level:
X-Spam-Status: No, score=-2.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFz-GYd4n9EG; Mon, 27 Dec 2010 10:47:07 -0800 (PST)
Received: from bs.jck.com (ns.jck.com [209.187.148.211]) by core3.amsl.com (Postfix) with ESMTP id 8EF5E3A67A7; Mon, 27 Dec 2010 10:47:06 -0800 (PST)
Received: from [127.0.0.1] (helo=localhost) by bs.jck.com with esmtp (Exim 4.34) id 1PXI83-000Njv-Hx; Mon, 27 Dec 2010 13:49:07 -0500
X-Vipre-Scanned: 058133FB001DEB05813548-TDI
Date: Mon, 27 Dec 2010 13:49:06 -0500
From: John C Klensin <klensin@jck.com>
To: Al Costanzo <al@akc.com>, Ned Freed <ned.freed@mrochek.com>
Message-ID: <7C0660F7DFFE9C1990252217@[192.168.1.128]>
In-Reply-To: <3F5293BF906846C89013734B3D6262D9@upstairs>
References: <Pine.OSX.4.64.1012221602490.40683@mac-allocchio3.elettra.trieste.it> <01NVQAP0UQRU007CHU@mauve.mrochek.com> <227C2506194609988B81BE4F@PST.JCK.COM> <01NVVQNSWU7U007CHU@mauve.mrochek.com> <3F5293BF906846C89013734B3D6262D9@upstairs>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: ima@ietf.org, apps-discuss@ietf.org
Subject: Re: [apps-discuss] [EAI] RFC5336 and VRFY/EXPN (was: Re: apps-team review of draft-ietf-eai-rfc5336bis)
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Dec 2010 18:47:08 -0000

--On Monday, December 27, 2010 12:00 AM -0500 Al Costanzo
<al@akc.com> wrote:

>...
> Ned,
> 
> If my memory servers me, (and it may not),
> 
> There were good reasons why VRFY supported this.  I dont know
> if any are valid anymore but one idea was that you could send
> the persons name, not the email address, to find out if that
> person had an email address on that system.

and what that address was, of course.

This was heavily used for a while with both VRFY and, separately
with finger, to get from name to email address.  The advantage
of the VRFY approach was that it would permit a user to enter an
address that might look like "John Klensin@example.com" at which
point the MUA would send 
   VRFY John Klensin
to the mail server at example.com, get back an address, and then
open a mail session.

Of course, Ned's observations about lousy support (with which I
agree) notwithstanding, the variation of 
   VRFY "John\ Klensin"
would have been fully 821-compliant.  I vaguely remember one MUA
that would send the first (escape-less) version and then send
the second if the reply from the first was "no 'John; here" or
"syntax error" rather than "no 'John Klensin' here".  The
heuristic is pretty trivial.

That use of VRFY became less popular as MUAs became more
separate from first-hop full service MTA (aka submission
servers) because that sort of use of VRFY pretty much requires
at least some SMTP capability (including domain name lookups,
coping with MXs, etc.) in the MUAs, ability to use port 25
connections from just about anywhere, etc.   I don't know
whether the usage is gone entirely, but it is certainly a lot
less common than it appeared to be many years ago.

> Was this not the reason Ned to allow blanks (whitespace) and
> unquoted strings?  If you remove this from the spec, this
> functionality would be lost, I don't really see a reason to
> lose something that works.

Especially if the clock could be turned back, one could allow
only the single form

  VRFY "John Klensin"

just getting rid of the bare, unquoted, backslash escape that
was permitted by 821 but that 5321 already excludes.

>>> RFC 5321, Section 4.1.4, explicitly
>>> permits sending VRFY or EXPN without first having EHLO in the
>>> session.  So there is another implicit requirement in all of
>>> this that should almost certainly be made explicit.
 
> I do not remember VRFY command requiring the EHELO, there are
> a number of mailing list verifiers that do not send the EHELO
> first.

It never has been a requirement although sending EHLO (or HELO)
first has always been harmless.  Either 5321 or 2821 simply made
it very clear that there was no such requirement.

> Verifiers, since they do not actually send email,
> usually dont send the EHELO first. (our application does) and
> I think requiring the EHELO first as part of a handshake it
> the proper way to do this.

That is one issue on the side of "new command".  If one now
decides to require EHLO first, then all existing uses of VRFY
without it (which conform perfectly well to 5321 and all of its
predecessors) become invalid,  That is pretty uncomfortable to
me.  By contrast, if one creates the new command, then, if the
response to EHLO includes some sort of EXTENDED-VRFY capability
(see below),  one could have:

	-- VRFY without EHLO as requesting the 5321 behavior
	(with or without non-conforming extensions or
	flexibility and with responses limited to ASCII).
	
	-- EHLO, then VRFY as requesting the 5321 behavior,
	identical to that above.  
	
	-- EHLO, then New-VRFY as requiring a strict Atom or
	Quoted-string optionally followed by a parameter list.

Note that, if the non-conforming client behavior we know is out
there is used, then 
    VRFY Costanzo 8BITREPLIES-OK
or equivalent could be interpreted by the server as either of
    VRFY "Constanzo\ 8BITREPLIES-OK"
or as coming with a parameter, or as a syntax error, in either
VRFY case.   Not really a good idea, IMO, and at least one
reason we have not permitted the use of extended parameters with
older SMTP commands with EHLO and capability permission.

Note too that the last paragraph of RFC 5321 Section 3.5.1 is,
in part and while not explicit, a caution against treating the
standard syntax too literally or narrowly. 

We could, in principle, do a completely new command without
involving the extension mechanism at all, thereby allowing
sending it before or without EHLO, but that strikes me as a
really scary idea.

> Only my humble opinon.

Only mine also -- I really don't have my mind made up about this
and am just trying to get the various arguments in front of the
WG.

     john

p.s. I agree with what I take to be at least a corollary to
Ned's remarks: having EAI create special-purpose commands that
are not very narrowly tied to i18n issues would be a bad idea.
If there is any perceived need for a new command, we ought to
define in a separate I-D, as (impossible keyword is deliberate
to clarify that this is not a proposal)
   NewVRFY String *(SP esmtp-param)
with String given only the 5321 interpretation, not the 821 one,
and then process that command through the SMTP list, etc.

If that appeals to anyone, I might generate a strawman just to
facilitate the discussion.