IETF Logo Mail Archive

Re: STARTTLS & EHLO

Tony Hansen <tony@att.com> Mon, 26 January 2009 17:05 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0QH53DZ023569 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 26 Jan 2009 10:05:03 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0QH53ue023568; Mon, 26 Jan 2009 10:05:03 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from mail146.messagelabs.com (mail146.messagelabs.com [216.82.241.147]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0QH4pjc023550 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-smtp@imc.org>; Mon, 26 Jan 2009 10:05:02 -0700 (MST) (envelope-from tony@att.com)
X-VirusChecked: Checked
X-Env-Sender: tony@att.com
X-Msg-Ref: server-5.tower-146.messagelabs.com!1232989492!11908758!1
X-StarScan-Version: 6.0.0; banners=-,-,-
X-Originating-IP: [144.160.20.54]
Received: (qmail 30355 invoked from network); 26 Jan 2009 17:04:52 -0000
Received: from sbcsmtp7.sbc.com (HELO mlpi135.enaf.sfdc.sbc.com) (144.160.20.54) by server-5.tower-146.messagelabs.com with AES256-SHA encrypted SMTP; 26 Jan 2009 17:04:52 -0000
Received: from enaf.sfdc.sbc.com (localhost.localdomain [127.0.0.1]) by mlpi135.enaf.sfdc.sbc.com (8.14.3/8.14.3) with ESMTP id n0QH4oS9002677 for <ietf-smtp@imc.org>; Mon, 26 Jan 2009 12:04:50 -0500
Received: from alph001.aldc.att.com (alph001.aldc.att.com [135.53.7.26]) by mlpi135.enaf.sfdc.sbc.com (8.14.3/8.14.3) with ESMTP id n0QH4mjP002654 for <ietf-smtp@imc.org>; Mon, 26 Jan 2009 12:04:49 -0500
Received: from aldc.att.com (localhost.localdomain [127.0.0.1]) by alph001.aldc.att.com (8.14.0/8.14.0) with ESMTP id n0QH4mGE001867 for <ietf-smtp@imc.org>; Mon, 26 Jan 2009 12:04:48 -0500
Received: from maillennium.att.com (mailgw1.maillennium.att.com [135.25.114.99]) by alph001.aldc.att.com (8.14.0/8.14.0) with ESMTP id n0QH4haP001761 for <ietf-smtp@imc.org>; Mon, 26 Jan 2009 12:04:43 -0500
Received: from [135.70.102.51] (vpn-135-70-102-51.vpn.swst.att.com[135.70.102.51](untrusted sender)) by maillennium.att.com (mailgw1) with ESMTP id <20090126170442gw1000u6ete> (Authid: tony); Mon, 26 Jan 2009 17:04:42 +0000
Message-ID: <497DED29.70402@att.com>
Date: Mon, 26 Jan 2009 12:04:41 -0500
From: Tony Hansen <tony@att.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: ietf-smtp@imc.org
Subject: Re: STARTTLS & EHLO
References: <497DE492.4080506@pscs.co.uk>
In-Reply-To: <497DE492.4080506@pscs.co.uk>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

At the heart of this question is whether a client is free to use an
extension supported by the server if they haven't issued an EHLO? This
question holds true for any extension, not just for STARTTLS. Is issuing
an EHLO an enabler for the extension as well as a query to determine
which extensions are supported by the server?

To answer these questions, I note this text in RFC 5321 highlighted with
>>><<<:

   3.2.  Client Initiation

   Once the server has sent the greeting (welcoming) message and the
   client has received it, the client normally sends the EHLO command to
   the server, indicating the client's identity.  In addition to
   opening the session, use of EHLO >>>indicates that the client is able
   to process service extensions<<< and requests that the server provide
   a list of the extensions it supports.

So this indicates to me that EHLO does indeed act as a gateway and
enabler to the use of extensions. So I'd argue that a server is free to
reject the use of any extensions unless a client has used EHLO prior to
that.

By extension, if you expect to use any further SMTP extensions after
negotiating TLS, I think you MUST resend an EHLO.

However, if you're *not* using any further extensions after STARTTLS was
sent, I don't see a requirement. So consequently, since you say you're
not using any other extensions, I don't see the case for them refusing
the message at that point without the EHLO.

	Tony Hansen
	tony@att.com

Paul Smith wrote:
> We've just had a small issue come up wrt STARTTLS and I was wondering if
> it was a mistake in RFC 3207, or just me :)
> 
> We did a quick patch for someone and added STARTTLS into a new part of
> our software in a special build. For speed of releasing the patch, we
> didn't make it issue a new EHLO afterwards, based on section 4.2 of RFC 3207
> 
> "  The client SHOULD send an EHLO command as the
>    first command after a successful TLS negotiation."
> 
> 
> (SHOULD, not MUST). We were planning to add the extra EHLO in before
> this went to a general release (we don't need to know about any
> extensions other than that STARTTLS, so it's not necessary from our PoV)
> . Anyway, 99.9% of the time, it's OK, but they have encountered one
> recipient which refuses to accept the message in this case. So, they
> seem to be treating the 'SHOULD' as 'MUST'.
> 
> Now, earlier in section 4.2, it says "
> 
> "  The server MUST discard any knowledge
>    obtained from the client, such as the argument to the EHLO command,
>    which was not obtained from the TLS negotiation itself"
> 
> 
> which I guess is why they are rejecting the message, because (since they
> have discarded the fact that we have previously sent EHLO) they are
> complaining that we haven't sent EHLO yet.
> 
> So, should the 'SHOULD' be a 'MUST' in this RFC, or is the other server
> incorrect?
>

v2.23.0 | Report a Bug | By Email