Re: New Issue: NOOP clarification
Hector Santos <hsantos@santronics.com> Sun, 02 December 2007 04:57 UTC
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB24vJvC003176 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 1 Dec 2007 21:57:19 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB24vJB5003175; Sat, 1 Dec 2007 21:57:19 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from winserver.com (ftp.catinthebox.net [208.247.131.9]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB24vHRp003166 for <ietf-smtp@imc.org>; Sat, 1 Dec 2007 21:57:18 -0700 (MST) (envelope-from hsantos@santronics.com)
Received: by winserver.com (Wildcat! SMTP Router v6.2.452.2) for ietf-smtp@imc.org; Sat, 01 Dec 2007 23:57:13 -0500
Received: from hdev1 ([72.144.183.54]) by winserver.com (Wildcat! SMTP v6.2.452.2) with ESMTP id 1899869750; Sat, 01 Dec 2007 23:57:12 -0500
Message-ID: <47523AC4.7000502@santronics.com>
Date: Sat, 01 Dec 2007 23:55:32 -0500
From: Hector Santos <hsantos@santronics.com>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: ietf-smtp@imc.org
Subject: Re: New Issue: NOOP clarification
References: <474DEE11.4000200@santronics.com> <E01AF5C7672F184BA99D5BE6@p3.JCK.COM> <474F4754.8000406@santronics.com> <p06240807c375070bb1d3@[192.168.0.104]> <474F62E2.4080109@santronics.com> <p06240809c37514ce6013@[192.168.0.104]> <474F9B25.6060103@santronics.com> <20071201232538.GB20478@hjp.at>
In-Reply-To: <20071201232538.GB20478@hjp.at>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>
Peter J. Holzer wrote:
> This is an incompatible change in the protocol, as a client conforming
> to RFC 2821 is of course perfectly correct in sending the optional
> parameter while the server conforming to RFC 821 is equally correct in
> rejecting it.
Ok, this is just practice. :-) I am just winging it. Not proposing it
should be added. Just food for thought.
Does this make since? After the ABNF statement, add a note:
Syntax:
"NOOP" [ SP String ] CRLF
Note: If the SMTP client is required to fall back to a
HELO because it has connected to a legacy SMTP server following
RFC 821 (STD 10) specifications, then all follow up commands MUST
conform to RFC 821 command syntax. e.g., the client MUST not
send a string with the NOOP command.
If the client issued a "NOOP string" command before the EHLO,
it is possible to received a negative response 421 or 500
from a legacy SMTP server. In this case, the client MAY
use this negative response to proceed with a HELO fall
back command.
Of course, as John pointed out, it would of been better if the MS server
had use 500 instead of 421.
But at least implementators who are aware of this do have a work around.
Our CBV issues the NOOP before the EHLO, so we can possibly use this
unique response to continue the section:
S: 220 example.com Microsoft ESMTP MAIL Service ....
C: NOOP WCSAP v2.09 Wildcat! Sender Authentication Protocol ..
S: 421 5.5.2 Syntax error (command line too long)
C: EHLO mail.winserver.com
Of course, I don't think this is material for the specs. But at least we
have a unofficial work around available to avoid mail delivery issues.
> There is a way for the client to handle this problem: Send the optional
> parameter only if the server recognized EHLO (since then it claims to
> conform to 2821) and omit it otherwise. But 2821 contains no hint that
> the parameter is new and incompatible with 821, so this issue is only
> apparent if you compare the two RFCs.
Right. For the scenario like above where the NOOP is issued before the
EHLO, then I don't see no choice but detect this unique response and
continue with an EHLO. I am guessing, but if it was truly a strict 821
system, it might issue the 500 "invalid syntax"" response.
Of course, we could also change our code to issue the NOOP after EHLO or
HELO is determined. If it fall backs to HELO, then we know for sure not
to issue the NOOP string, in that case, we probably won't even issue
NOOP at all since the main purpose for here was to allow the server to
log it. That is how it currently used today by CBV systems.
> RFC 2821 also introduced the
> extension mechanism, which allows adding additional parameters to
> existing commands. For some reason, this was not used for NOOP, but an
> incompatible change was made in the core protocol (which I admit I don't
> understand: What is the purpose of this parameter? Why was it added at
> all? To reflect actual usage or just because somebody thought it might
> be useful?)
I can only guess "logging" were on people's mind. Thats how we are using
it. However, for one CBV system I am aware off, based on their "How it
works" documentation, they are adding a 32 bit unique hex hash number (8
characters) for tracing and also to help detect loops (show how).
Now that I think about it, I seem to recall Microsoft's Caller-ID
proposal taking NOOP to another level:
http://tools.ietf.org/html/draft-atkinson-callerid-00
Caller ID for E-mail was MS's original entry into the mix of LMAP
(domain::ip association) protocols which eventually merged with SPF to
create SENDER-ID:
5.2 SMTP Security Considerations
...
Specifically, prior to sending any SMTP MAIL commands, an SMTP
client SHOULD send to its server an SMTP NOOP command (see section
The 40 case-insensitive characters of the hexadecimal encoding
of the SHA1 hash of the entire data provided previously by the
server in its EHLO response (that is, the entire sequence of
characters matching the ehlo-ok-rsp production found in section
4.1.1.1 of [rfc2821]).
By including a pseudorandom string as part of its EHLO response, an
SMTP server can have reasonable confidence that, upon the receipt
of such a NOOP command, the SMTP client is in fact receiving its
responses, and one-side TCPIP hijacking is not occurring. Note that,
as a security consideration, the SMTP server provides no indication
in response to the NOOP as to whether a correct hash value was
provided.
And I would swear I seen other drafts that attempt to use NOOP for some
"authentication" purpose as well.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Tony Hansen
- Re: New Issue: NOOP clarification Glenn Anderson
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Glenn Anderson
- Re: New Issue: NOOP clarification John C Klensin
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Valdis.Kletnieks
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Valdis.Kletnieks
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Valdis.Kletnieks
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Valdis.Kletnieks
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification SM
- Re: New Issue: NOOP clarification John C Klensin
- New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification Sabahattin Gucukoglu
- Re: New Issue: NOOP clarification Frank Ellermann
- Re: New Issue: NOOP clarification Hector Santos
- Re: New Issue: NOOP clarification John C Klensin
- Re: New Issue: NOOP clarification Peter J. Holzer
- Re: New Issue: NOOP clarification Tony Hansen