IETF Logo Mail Archive

Re: STARTTLS & EHLO

John C Klensin <john+smtp@jck.com> Thu, 29 January 2009 15:54 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0TFs2Bu022761 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 29 Jan 2009 08:54:02 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0TFs2Tj022760; Thu, 29 Jan 2009 08:54:02 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from bs.jck.com (ns.jck.com [209.187.148.211]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0TFroeB022744 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-smtp@imc.org>; Thu, 29 Jan 2009 08:54:02 -0700 (MST) (envelope-from john+smtp@jck.com)
Received: from [127.0.0.1] (helo=localhost) by bs.jck.com with esmtp (Exim 4.34) id 1LSZDC-000DZe-22; Thu, 29 Jan 2009 10:53:50 -0500
Date: Thu, 29 Jan 2009 10:53:49 -0500
From: John C Klensin <john+smtp@jck.com>
To: Tony Hansen <tony@att.com>, ietf-smtp@imc.org
Subject: Re: STARTTLS & EHLO
Message-ID: <37F39FF37390694B69567838@PST.JCK.COM>
In-Reply-To: <4981C6BD.2040900@att.com>
References: <497DE492.4080506@pscs.co.uk> <497DED29.70402@att.com> <497ED420.30708@pscs.co.uk> <alpine.LSU.2.00.0901271403220.4546@hermes-2.csi.cam.ac.uk> <497F86CB.60904@att.com> <alpine.LSU.2.00.0901281434440.4546@hermes-2.csi.cam.ac.uk> <498088B8.9040404@pscs.co.uk> <alpine.LSU.2.00.0901291310080.4546@hermes-2.csi.cam.ac.uk> <4981C0D5.1010401@pscs.co.uk> <4981C6BD.2040900@att.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

--On Thursday, January 29, 2009 10:09 -0500 Tony Hansen
<tony@att.com> wrote:

> If this is the interpretation that we gain consensus on, that
> it means "start over from scratch", it might as well also say
> that it
> 
> 	SHOULD only be executed immediately after the initial EHLO.
> 
> The only possible exceptions to this rule would be for verbs
> that don't affect the state machine, such as VRFY, EXPN, HELP,
> NOOP.

RSET is also harmless immediately after EHLO.  Changing the
state from "session open (EHLO issued), no mail transaction
state" to "session open (EHLO issued), no mail transaction
state" is a no-op.  And the first paragraph of 4.1.1.5 of 5321
says that.

Out of context, I'm not sure exactly what you are suggesting
above, but I believe that it would mean:

    S: 220 ...
    C: EHLO ...
    S: 250-...
    S: 250-STARTTLS
    S: 250-...
    S: 250 OK
    C: STARTTLS  ...
    (TLS session starts)
    and the next command must be either EHLO
    or as many instances of any of VRFY, 
      EXPN, HELP, NOOP, RSET as desired, followed by EHLO

Also, the "what the server MUST (or SHOULD) discard and the
client MUST (or SHOULD) not depend on" sentences and example
might reasonably be modified to explicitly include any
information gained from VRFY or EXPN issued between the 220
greeting and the initial EHLO.  While one might not trust VRFY
or EXPN queries or results issued under TLS either, it would be
pointless and silly to send them before the initial EHLO if one
knew that one was going to issue STARTTLS if the server
permitted it.   Indeed the only reason for doing so would be if
one intended to make a decision about whether to continue with a
mail transaction at all based on the results of VRFY or EXPN...
and that would be very rare today except in special
circumstances.

      john

v2.23.0 | Report a Bug | By Email