IETF Logo Mail Archive

Re: [apps-discuss] [EAI] RFC5336 and VRFY/EXPN (was: Re: apps-team review of draft-ietf-eai-rfc5336bis)

Ned Freed <ned.freed@mrochek.com> Sun, 26 December 2010 23:31 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65FA23A681D for <apps-discuss@core3.amsl.com>; Sun, 26 Dec 2010 15:31:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.369
X-Spam-Level:
X-Spam-Status: No, score=-2.369 tagged_above=-999 required=5 tests=[AWL=0.230, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f4bUWAf5JhFy for <apps-discuss@core3.amsl.com>; Sun, 26 Dec 2010 15:31:22 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by core3.amsl.com (Postfix) with ESMTP id A73BC3A6810 for <apps-discuss@ietf.org>; Sun, 26 Dec 2010 15:31:21 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01NVVQNUOXPS00EQ3W@mauve.mrochek.com> for apps-discuss@ietf.org; Sun, 26 Dec 2010 15:33:20 -0800 (PST)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01NVRNC53SM8007CHU@mauve.mrochek.com>; Sun, 26 Dec 2010 15:33:17 -0800 (PST)
Message-id: <01NVVQNSWU7U007CHU@mauve.mrochek.com>
Date: Sun, 26 Dec 2010 14:53:46 -0800
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Sat, 25 Dec 2010 15:20:07 -0500" <227C2506194609988B81BE4F@PST.JCK.COM>
MIME-version: 1.0
Content-type: TEXT/PLAIN
References: <Pine.OSX.4.64.1012221602490.40683@mac-allocchio3.elettra.trieste.it> <01NVQAP0UQRU007CHU@mauve.mrochek.com> <227C2506194609988B81BE4F@PST.JCK.COM>
To: John C Klensin <klensin@jck.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mrochek.com; s=mauve; t=1293403441; bh=jZMmTMwLMswKSme1ZsJUrxMcukzd836HaXPmIEY3dtY=; h=Cc:Message-id:Date:From:Subject:In-reply-to:MIME-version: Content-type:References:To; b=jEGod2A0Qvo+KJtQv0ayd7dtrXoWs6Aue+4DjZw4+3dOoeUuCsMZerTC3ioi0NpsZ Ubi0gLkXV3wPakR4cvy0JNIA47/UsFDc9zGYwTEv8hY1BWuMM5OrHb6v2aXigbk4Cj DPS+O8mY8gJTVR2Q9U1QrZwrE0SW/O+HO4OzlCOw=
Cc: Alexey.Melnikov@isode.com, apps-discuss@ietf.org, Ned Freed <NED+eai@mauve.mrochek.com>, ima@ietf.org, draft-ietf-eai-rfc5336bis@tools.ietf.org
Subject: Re: [apps-discuss] [EAI] RFC5336 and VRFY/EXPN (was: Re: apps-team review of draft-ietf-eai-rfc5336bis)
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Dec 2010 23:31:25 -0000

> In addition, one must have a session for which mail transactions
> are permitted (i.e., EHLO must have been sent) in order to use
> any parameters at all.

You certainly need to send an EHLO and process the result to find out what
extensions are allowed - guessing what combination of extensions will work most
certainly is not a sound operational policy. And implementations are certainly
free to only offer the extensions that have been returned in an EHLO repsonse.

That said, I don't see an actual requirement in section 2.2 stating that EHLO
must be issued before any parameters can be used. (Maybe it's somewhere else,
but a cursory search didn't find it.) Our MTA certainly doesn't enforce this
and AFAIK neither does sendmail, PostFix, Apache James, or qmail. (Exim, OTOH,
appears to.)

> RFC 5321, Section 4.1.4, explicitly
> permits sending VRFY or EXPN without first having EHLO in the
> session.  So there is another implicit requirement in all of
> this that should almost certainly be made explicit.

There certainly should be a note saying that you need to issue an EHLO
and check the response before attaching any parameters to VRFY/EXPN. I don't
think a requirement that parameters not be accepted before an EHLO
has been issued is needed.

> (I think
> this is the topic about handshaking that Dave and Shawn have
> been circling around, but I'm not sure).

It's part of it, I think.

> > However, this brings up
> > another     issue, which is that a server that supports this
> > extension needs a way     to tell a client that doesn't that
> > it cannot return a proper response     to VRFY/EXPN without
> > that parameter being specified. A new SMTP error     status is
> > needed, but the document only defines an extended status
> > for this purpose; it doesn't specify a regular status code to
> > use.

> If we go down this path, the WG clearly needs to reexamine
> whether such a code is necessary.  I think you have made a
> persuasive case, but I can't speak for the WG.

It doesn't have to be a new code. OTOH, it needs to be a code that EXPN/VRFY
don't return for other purposes, and I think if you look at the list of
available codes a new code is needed.

> Indeed, this has all gotten sufficiently complex that I think
> perhaps the WG should reexamine its decision to handle the "VRFY
> and EXPN with possible non-ASCII responses" situation by
> parameterizing those commands rather than introducing new
> commands, say VRF8 and EXP8.  IIR, the WG did consider that
> alternative (long ago) and conclude that adding a parameter was
> the more straightforward option. But, perhaps, given the
> various complexities that have emerged, that was not the right
> decision.

I considered suggesting new commands, but given the need to specify
syntax for the new commands I don't see this as any simplier
specification-wise. In terms of implementation, a new command is actually
a somewhat more complex - the code changes are less localized, and I suspect
other implementations will be comparable in this regard.

But the minute you need some other variant on EXPN and VRFY, the alternate
command appraoch becomes the far more complex way to do it. Now, we haven't had
a specification come along that needed additional EXPN/VRFY parameters before
this one, but these things have a way of showing up once you open the door and
get people thinking about them. So I'm strongly inclined to stick with the
parameter approach.

> With other commands, such as MAIL and RCPT, we've
> already got a history of parameters and the base (821/5321)
> syntax is very clearly delimited.  By contrast, I certainly
> remember seeing VRFY followed by unquoted strings with blanks in
> them in the wild (e.g., arrangements like
>     VRFY Ned Freed
> ) and some servers tolerating them in the name of robustness or
> in memory of 821, which had
>     VRFY <SP> <string> <CRLF>
>     <string> ::= <char> | <char> <string>
>     <char> ::= <c> | "\" <x>
>     <c> ::= any one of the 128 ASCII characters,
>         but not any <special> or <SP>
>     <x> ::= any one of the 128 ASCII characters
>        (no exceptions)
> which makes
>     VRFY Dave\ Crocker
> perfectly valid.    I don't know if similar examples still occur
> and with what frequency, but...

OTOH, a lot of servers back in the days prior to RFC 2821 didn't support the
821 thing of allowing literal spances with a \ and no enclosing quotes. So this
never could be said to have interoperated. And I think the time has come to
abandon it (although I note that if you really want to continue supporting it,
the added parameter doesn't prevent you from doing so).

				Ned

v2.23.0 | Report a Bug | By Email