Re: [Extra] I-D Action: draft-ietf-extra-imap4rev2-25.txt

Alexey Melnikov <alexey.melnikov@isode.com> Mon, 15 February 2021 12:16 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: extra@ietfa.amsl.com
Delivered-To: extra@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E50773A125D for <extra@ietfa.amsl.com>; Mon, 15 Feb 2021 04:16:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YHFOrQEioX9G for <extra@ietfa.amsl.com>; Mon, 15 Feb 2021 04:16:16 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 4E8B83A1287 for <extra@ietf.org>; Mon, 15 Feb 2021 04:16:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1613391373; d=isode.com; s=june2016; i=@isode.com; bh=hy+Mu1LEvN2R949uRBmW11Bt/QnD3lsZwzjeOcihZyE=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=C79Yo6X9fTSVsyKEXyXK56gaiz7b6wE/8rRHn4iKx+pYwB7+Q9KqDEi3QvFoy/NOdAuoZK WgNGWZMRrCfdyo0gp2YReroUBB8NnBJOEdEz3L8/sDbKE1U+vEk+OsXAJPcH/Ol773K/cU PWQr2NMpf9bKujgJGnsYuEQiiINKPhw=;
Received: from [192.168.1.222] (host5-81-100-89.range5-81.btcentralplus.com [5.81.100.89]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <YCpmDQAuQRcJ@waldorf.isode.com>; Mon, 15 Feb 2021 12:16:13 +0000
To: extra@ietf.org
References: <161116825043.14636.11363330782678240238@ietfa.amsl.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <5d2d644d-115b-a21b-203b-7c2bc3259b39@isode.com>
Date: Mon, 15 Feb 2021 12:16:12 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0
In-Reply-To: <161116825043.14636.11363330782678240238@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/extra/e-O76-39Vfj4QQMZg0CK2X6API4>
Subject: Re: [Extra] I-D Action: draft-ietf-extra-imap4rev2-25.txt
X-BeenThere: extra@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email mailstore and eXtensions To Revise or Amend <extra.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/extra>, <mailto:extra-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/extra/>
List-Post: <mailto:extra@ietf.org>
List-Help: <mailto:extra-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/extra>, <mailto:extra-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 12:16:28 -0000

Hi all,

On 20/01/2021 18:44, internet-drafts@ietf.org wrote:

> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-extra-imap4rev2/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-extra-imap4rev2-25
> https://datatracker.ietf.org/doc/html/draft-ietf-extra-imap4rev2-25
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-extra-imap4rev2-25

I know I am doing this out of the order, but I missed summarizing 
changes in this revision, which are pretty significant:

1) Clarified that the list of capabilities can change after STARTTLS, 
AUTHENTICATE, LOGIN.

2) Added prohibition to use ALERT before STARTTLS/SASL security layer, 
as this can be used by MITM attackers against clients.

3) Added a new requirements on clients that require TLS when they see 
PREAUTH on a cleartext port. As PREAUTH response forces the client to 
bypass STARTTLS command, such clients are required to close the connection.

4) Added a new Security Consideration subsection talking about 
unsolicited responses received in wrong states and that clients must 
ignore them. For example, LIST received before autentication must be 
ignored. Similar EXISTS/FLAGS/FETCH received when there is no mailbox 
selected.

5) Added new requirement that servers MUST implement implicit TLS port 
handling (993) and SHOULD implement cleartext port with STARTTLS. 
(Clients MUST implement both.) This seems to match what many ISPs are doing.

6) Added missing IANA registrations.

7) Some minor ABNF clarifications (added pointers for some ABNF 
productions imported from other documents).

8) Some minor wording changes for clarity.

Best Regards,

Alexey