IETF Logo Mail Archive

Re: STARTTLS & EHLO

Tony Hansen <tony@att.com> Wed, 28 January 2009 21:33 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SLXZQ6069795 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Jan 2009 14:33:35 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0SLXZuN069794; Wed, 28 Jan 2009 14:33:35 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from mail167.messagelabs.com (mail167.messagelabs.com [216.82.253.179]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SLXOBs069773 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-smtp@imc.org>; Wed, 28 Jan 2009 14:33:35 -0700 (MST) (envelope-from tony@att.com)
X-VirusChecked: Checked
X-Env-Sender: tony@att.com
X-Msg-Ref: server-2.tower-167.messagelabs.com!1233178403!12964699!1
X-StarScan-Version: 6.0.0; banners=-,-,-
X-Originating-IP: [144.160.128.141]
Received: (qmail 14601 invoked from network); 28 Jan 2009 21:33:23 -0000
Received: from sbcsmtp9.sbc.com (HELO flph161.enaf.ffdc.sbc.com) (144.160.128.141) by server-2.tower-167.messagelabs.com with AES256-SHA encrypted SMTP; 28 Jan 2009 21:33:23 -0000
Received: from enaf.ffdc.sbc.com (localhost.localdomain [127.0.0.1]) by flph161.enaf.ffdc.sbc.com (8.14.3/8.14.3) with ESMTP id n0SLXMUt028149 for <ietf-smtp@imc.org>; Wed, 28 Jan 2009 13:33:23 -0800
Received: from klph001.kcdc.att.com (klph001.kcdc.att.com [135.188.3.11]) by flph161.enaf.ffdc.sbc.com (8.14.3/8.14.3) with ESMTP id n0SLXLl7028141 for <ietf-smtp@imc.org>; Wed, 28 Jan 2009 13:33:22 -0800
Received: from kcdc.att.com (localhost.localdomain [127.0.0.1]) by klph001.kcdc.att.com (8.14.0/8.14.0) with ESMTP id n0SLXLHx012266 for <ietf-smtp@imc.org>; Wed, 28 Jan 2009 15:33:21 -0600
Received: from maillennium.att.com (dns.maillennium.att.com [135.25.114.99]) by klph001.kcdc.att.com (8.14.0/8.14.0) with ESMTP id n0SLXI3V012253 for <ietf-smtp@imc.org>; Wed, 28 Jan 2009 15:33:19 -0600
Received: from [135.70.181.172] (vpn-135-70-181-172.vpn.mwst.att.com[135.70.181.172](untrusted sender)) by maillennium.att.com (mailgw1) with ESMTP id <20090128213318gw1000u6u5e> (Authid: tony); Wed, 28 Jan 2009 21:33:18 +0000
Message-ID: <4980CF1D.4000303@att.com>
Date: Wed, 28 Jan 2009 16:33:17 -0500
From: Tony Hansen <tony@att.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: ietf-smtp@imc.org
Subject: Re: STARTTLS & EHLO
References: <497DE492.4080506@pscs.co.uk> <497DED29.70402@att.com> <497ED420.30708@pscs.co.uk> <alpine.LSU.2.00.0901271403220.4546@hermes-2.csi.cam.ac.uk> <497F86CB.60904@att.com> <4980C684.2070300@santronics.com>
In-Reply-To: <4980C684.2070300@santronics.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

Hector, what started this was a client that doesn't use any other
extended smtp features beyond STARTTLS. So once it had started up TLS,
it had no use for the output of EHLO, and consequently it didn't bother
sending either HELO or EHLO after the STARTTLS. This was fine until it
ran into a server that demanded that EHLO be sent again. Leading to the
questions on the table: 1) which interpretation of the spec is correct,
and 2) what should be done once this is decided?

	Tony Hansen
	tony@att.com

Hector Santos wrote:
> 
> My take on this:
> 
> I think the client should be aware that most, if not all, servers expect
> a 2nd pass of EHLO, but I also believe the client should not presume
> server features would be the same under TLS and NON-TLS sessions.
> 
> For example, the use case where the private or even public server allows
> a stronger AUTH for non TLS sessions and allows weaker AUTH under TLS:
> 
>    S: 220 blah blah blah
>    C: EHLO client-domain.com
>    S: 250-server-domain.com
>    S: 250 AUTH CRAM-MD5 OTHER
>    S: 250 STARTTLS
>    C: MAIL FROM: <xxxxxxx>
>    S: 530 Must issue a STARTTLS or AUTH command first
>    ...
> 
> Note: both RFC 2487 (TLS) and RFC 2554 (AUTH) use 530 for an enforcement
> requirement. So here, if it client support CRAM or DIGEST it can
> continue with AUTH CRAM-MD5 or AUTH OTHER. But if it does not support
> these stronger AUTH, and does support TLS, it can continue with a STARTLS:
> 
>    ...
>    C: STARTTLS
>    S: 220 Go ahead
>    C & S: <TLS negotiation>
>    C: MAIL FROM: <xxxxxxx>
>    S: 530 AUTH command first
>    C: EHLO client-domain.com
>    S: 250-server-domain.com
>    S: 250 AUTH LOGIN
>    S: 250 AUTH-LOGIN
>    S: AUTH LOGIN
>    S: 235 Authentication successful.
> 
> The point is, the client MUST be aware of this possibility and should
> always (MUST) issue an EHLO after TLS is established.
> 
> The idea of public vs private and level of authentication is discussed
> in 2487 and this is where the 4.2 statement:
> 
>    The client SHOULD send an EHLO command as the
>    first command after a successful TLS negotiation.
> 
> is "forgetful" of its other key points.  So it should of been something
> like:
> 
>    For a SMTP server that is privately referenced, the client
>    MUST issue the EHLO command after a successful TLS negotiation
>    to determine if there are any changes in AUTH methods, such
>    as the strength of the authentication.
> 
>    If the server is the publicly reference, the client SHOULD
>    send an EHLO command as the first command after a successful
>    TLS negotiation, however, it is highly recommended it reissues
>    the EHLO in all cases.
> 
>    The client SHOULD not degrade from EHLO to HELO.
> 
> My take.
>

v2.23.0 | Report a Bug | By Email