Re: [apps-discuss] [EAI] RFC5336 and VRFY/EXPN (was: Re: apps-team review of draft-ietf-eai-rfc5336bis)

"Al Costanzo" <al@akc.com> Mon, 27 December 2010 04:58 UTC

Return-Path: <al@akc.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F32773A6848; Sun, 26 Dec 2010 20:58:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwFKJzrJ4FkN; Sun, 26 Dec 2010 20:58:35 -0800 (PST)
Received: from imail.akc.com (mail.akc.com [192.188.192.3]) by core3.amsl.com (Postfix) with ESMTP id 35BC93A6832; Sun, 26 Dec 2010 20:58:34 -0800 (PST)
Received: from upstairs (upstairs.akc.com [64.253.39.242]) by imail.akc.com with SMTP; Mon, 27 Dec 2010 00:00:13 -0500
Message-ID: <3F5293BF906846C89013734B3D6262D9@upstairs>
From: Al Costanzo <al@akc.com>
To: Ned Freed <ned.freed@mrochek.com>
References: <Pine.OSX.4.64.1012221602490.40683@mac-allocchio3.elettra.trieste.it><01NVQAP0UQRU007CHU@mauve.mrochek.com><227C2506194609988B81BE4F@PST.JCK.COM> <01NVVQNSWU7U007CHU@mauve.mrochek.com>
Date: Mon, 27 Dec 2010 00:00:09 -0500
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Cc: ima@ietf.org, apps-discuss@ietf.org
Subject: Re: [apps-discuss] [EAI] RFC5336 and VRFY/EXPN (was: Re: apps-team review of draft-ietf-eai-rfc5336bis)
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Al Costanzo <al@akc.com>
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Dec 2010 04:58:37 -0000

> OTOH, a lot of servers back in the days prior to RFC 2821 didn't support 
> the
> 821 thing of allowing literal spances with a \ and no enclosing quotes. So 
> this
> never could be said to have interoperated. And I think the time has come 
> to
> abandon it (although I note that if you really want to continue supporting 
> it,
> the added parameter doesn't prevent you from doing so).
>

Ned,

If my memory servers me, (and it may not),

There were good reasons why VRFY supported this.  I dont know if any are 
valid anymore but one idea was that you could send the persons name, not the 
email address, to find out if that person had an email address on that 
system.

Was this not the reason Ned to allow blanks (whitespace) and unquoted 
strings?  If you remove this from the spec, this functionality would be 
lost, I don't really see a reason to lose something that works.

>> RFC 5321, Section 4.1.4, explicitly
>> permits sending VRFY or EXPN without first having EHLO in the
>> session.  So there is another implicit requirement in all of
>> this that should almost certainly be made explicit.

I do not remember VRFY command requiring the EHELO, there are a number of 
mailing list verifiers that do not send the EHELO first. Verifiers, since 
they do not actually send email, usually dont send the EHELO first. (our 
application does) and I think requiring the EHELO first as part of a 
handshake it the proper way to do this.

Only my humble opinon.

-Al Costanzo





----- Original Message ----- 
From: "Ned Freed" <ned.freed@mrochek.com>
To: "John C Klensin" <klensin@jck.com>
Cc: <Alexey.Melnikov@isode.com>; <apps-discuss@ietf.org>; "Ned Freed" 
<NED+eai@mauve.mrochek.com>; <ima@ietf.org>; 
<draft-ietf-eai-rfc5336bis@tools.ietf.org>
Sent: Sunday, December 26, 2010 5:53 PM
Subject: Re: [apps-discuss] [EAI] RFC5336 and VRFY/EXPN (was: Re: apps-team 
review of draft-ietf-eai-rfc5336bis)


>> In addition, one must have a session for which mail transactions
>> are permitted (i.e., EHLO must have been sent) in order to use
>> any parameters at all.
>
> You certainly need to send an EHLO and process the result to find out what
> extensions are allowed - guessing what combination of extensions will work 
> most
> certainly is not a sound operational policy. And implementations are 
> certainly
> free to only offer the extensions that have been returned in an EHLO 
> repsonse.
>
> That said, I don't see an actual requirement in section 2.2 stating that 
> EHLO
> must be issued before any parameters can be used. (Maybe it's somewhere 
> else,
> but a cursory search didn't find it.) Our MTA certainly doesn't enforce 
> this
> and AFAIK neither does sendmail, PostFix, Apache James, or qmail. (Exim, 
> OTOH,
> appears to.)
>
>> RFC 5321, Section 4.1.4, explicitly
>> permits sending VRFY or EXPN without first having EHLO in the
>> session.  So there is another implicit requirement in all of
>> this that should almost certainly be made explicit.
>
> There certainly should be a note saying that you need to issue an EHLO
> and check the response before attaching any parameters to VRFY/EXPN. I 
> don't
> think a requirement that parameters not be accepted before an EHLO
> has been issued is needed.
>
>> (I think
>> this is the topic about handshaking that Dave and Shawn have
>> been circling around, but I'm not sure).
>
> It's part of it, I think.
>
>> > However, this brings up
>> > another     issue, which is that a server that supports this
>> > extension needs a way     to tell a client that doesn't that
>> > it cannot return a proper response     to VRFY/EXPN without
>> > that parameter being specified. A new SMTP error     status is
>> > needed, but the document only defines an extended status
>> > for this purpose; it doesn't specify a regular status code to
>> > use.
>
>> If we go down this path, the WG clearly needs to reexamine
>> whether such a code is necessary.  I think you have made a
>> persuasive case, but I can't speak for the WG.
>
> It doesn't have to be a new code. OTOH, it needs to be a code that 
> EXPN/VRFY
> don't return for other purposes, and I think if you look at the list of
> available codes a new code is needed.
>
>> Indeed, this has all gotten sufficiently complex that I think
>> perhaps the WG should reexamine its decision to handle the "VRFY
>> and EXPN with possible non-ASCII responses" situation by
>> parameterizing those commands rather than introducing new
>> commands, say VRF8 and EXP8.  IIR, the WG did consider that
>> alternative (long ago) and conclude that adding a parameter was
>> the more straightforward option. But, perhaps, given the
>> various complexities that have emerged, that was not the right
>> decision.
>
> I considered suggesting new commands, but given the need to specify
> syntax for the new commands I don't see this as any simplier
> specification-wise. In terms of implementation, a new command is actually
> a somewhat more complex - the code changes are less localized, and I 
> suspect
> other implementations will be comparable in this regard.
>
> But the minute you need some other variant on EXPN and VRFY, the alternate
> command appraoch becomes the far more complex way to do it. Now, we 
> haven't had
> a specification come along that needed additional EXPN/VRFY parameters 
> before
> this one, but these things have a way of showing up once you open the door 
> and
> get people thinking about them. So I'm strongly inclined to stick with the
> parameter approach.
>
>> With other commands, such as MAIL and RCPT, we've
>> already got a history of parameters and the base (821/5321)
>> syntax is very clearly delimited.  By contrast, I certainly
>> remember seeing VRFY followed by unquoted strings with blanks in
>> them in the wild (e.g., arrangements like
>>     VRFY Ned Freed
>> ) and some servers tolerating them in the name of robustness or
>> in memory of 821, which had
>>     VRFY <SP> <string> <CRLF>
>>     <string> ::= <char> | <char> <string>
>>     <char> ::= <c> | "\" <x>
>>     <c> ::= any one of the 128 ASCII characters,
>>         but not any <special> or <SP>
>>     <x> ::= any one of the 128 ASCII characters
>>        (no exceptions)
>> which makes
>>     VRFY Dave\ Crocker
>> perfectly valid.    I don't know if similar examples still occur
>> and with what frequency, but...
>
> OTOH, a lot of servers back in the days prior to RFC 2821 didn't support 
> the
> 821 thing of allowing literal spances with a \ and no enclosing quotes. So 
> this
> never could be said to have interoperated. And I think the time has come 
> to
> abandon it (although I note that if you really want to continue supporting 
> it,
> the added parameter doesn't prevent you from doing so).
>
> Ned
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>