Re: [lemonade] streamlined message submission
Randall Gellens <randy@qualcomm.com> Sat, 04 March 2006 02:34 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FFMb2-0008Bo-1W; Fri, 03 Mar 2006 21:34:16 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FFMb0-00089F-UU for lemonade@ietf.org; Fri, 03 Mar 2006 21:34:14 -0500
Received: from ithilien.qualcomm.com ([129.46.51.59]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FFMaz-0006Fg-32 for lemonade@ietf.org; Fri, 03 Mar 2006 21:34:14 -0500
Received: from neophyte.qualcomm.com (neophyte.qualcomm.com [129.46.61.149]) by ithilien.qualcomm.com (8.12.10/8.12.5/1.0) with ESMTP id k242Y9Ms011118 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <lemonade@ietf.org>; Fri, 3 Mar 2006 18:34:10 -0800
Received: from [129.46.172.15] (vpn-10-50-16-81.qualcomm.com [10.50.16.81]) by neophyte.qualcomm.com (8.13.5/8.12.5/1.0) with ESMTP id k242Y6hB003355 for <lemonade@ietf.org>; Fri, 3 Mar 2006 18:34:07 -0800 (PST)
Mime-Version: 1.0
Message-Id: <p07000c39c02e9fd5ca8a@[129.46.172.15]>
In-Reply-To: <DFFAA59A7AAA0F1946ED42D8@[10.1.110.5]> <Pine.LNX.4.64.0602221744440.24112@hermes-2.csi.cam.ac.uk> <43FC8731.3080505@teamware.com> <22667.1140657288.257701@peirce.dave.cridland.net> <Pine.LNX.4.64.0602221459460.24112@hermes-2.csi.cam.ac.uk> <21533.1140619429.225276@peirce.dave.cridland.net> <01LZ9CVRUSC000009C@mauve.mrochek.com> <01LZ8M8NO8S800009C@mauve.mrochek.com> <01LZ9FNBLMAS00009C@mauve.mrochek.com> <Pine.LNX.4.64.0602221332430.24112@hermes-2.csi.cam.ac.uk> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk>
References: <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk> <DFFAA59A7AAA0F1946ED42D8@[10.1.110.5]> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk> <21533.1140619429.225276@peirce.dave.cridland.net> <01LZ9FNBLMAS00009C@mauve.mrochek.com> <Pine.LNX.4.64.0602221744440.24112@hermes-2.csi.cam.ac.uk> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk> <01LZ8M8NO8S800009C@mauve.mrochek.com> <Pine.LNX.4.64.0602221332430.24112@hermes-2.csi.cam.ac.uk> <01LZ9CVRUSC000009C@mauve.mrochek.com> <43FC8731.3080505@teamware.com> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk> <21533.1140619429.225276@peirce.dave.cridland.net> <Pine.LNX.4.64.0602221459460.24112@hermes-2.csi.cam.ac.uk> <22667.1140657288.257701@peirce.dave.cridland.net> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk> <21533.1140619429.225276@peirce.dave.cridland.net> <Pine.LNX.4.64.0602221459460.24112@hermes-2.csi.cam.ac.uk> <21533.1140619429.225276@peirce.dave.cridland.net> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk> <01LZ8M8NO8S800009C@mauve.mrochek.com> <Pine.LNX.4.64.0602221332430.24112@hermes-2.csi.cam.ac.uk> <01LZ9CVRUSC000009C@mauve.mrochek.com> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk> <01LZ8M8NO8S800009C@mauve.mrochek.com> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk> <21533.1140619429.225276@peirce.dave.cridland.net> <01LZ9FNBLMAS00009C@mauve.mrochek.com> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk> <01LZ8M8NO8S800009C@mauve.mrochek.com> <Pine.LNX.4.64.0602221332430.24112@hermes-2.csi.cam.ac.uk> <Pine.LNX.4.64.0602220017450.24112@hermes-2.csi.cam.ac.uk>
X-Mailer: Eudora for Mac OS X v7.0a
X-message-flag: Using Outlook? Upgrade to Eudora: <http://www.eudora.com>
Date: Fri, 03 Mar 2006 18:33:49 -0800
To: lemonade@ietf.org
From: Randall Gellens <randy@qualcomm.com>
Subject: Re: [lemonade] streamlined message submission
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Random-Sig-Tag: 1.0b28
X-Random-Sig-Tag: 1.0b28
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a1852b4f554b02e7e4548cc7928acc1f
X-BeenThere: lemonade@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Enhancements to Internet email to support diverse service enivronments <lemonade.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/lemonade>, <mailto:lemonade-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:lemonade@ietf.org>
List-Help: <mailto:lemonade-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/lemonade>, <mailto:lemonade-request@ietf.org?subject=subscribe>
Errors-To: lemonade-bounces@ietf.org
At 5:09 PM -0800 2/21/06, Ned Freed wrote: > > > http://www.cus.cam.ac.uk/~fanf2/hermes/doc/antiforgery/draft-fanf-smtp-tls-on-connect.txt > > I have to say I agreed with the decision not to go with separate > ports and with > STARTTLS instead. And although this does reduce round trips significantly I'm > fairly unenthusiastic it, but less because I agreed with the prior > decision and > more because I predict there will be opposition to moving back to the smtps > approach from the security folks. And although we've supported smtps in our > product for a long time, I don't in practice see the large amounts > of lingering > use of it you do. One of the main arguments against alternate-port-TLS is what happens if/when we deploy something else that replaces TLS? Does each protocol then need three ports? I wonder if it would be worth trying an approach that connects on the standard port, but immediately tried to negotiate TLS, without waiting for the usual greeting and extension list? As long as existing servers send an error when they see the start of a TLS negotiation, it might be OK. > > > http://www.cus.cam.ac.uk/~fanf2/hermes/doc/antiforgery/draft-fanf-smtp-quickstart.txt > > This extension seems quite reasonable to me. I'm bothered by a few things: (1) would there be problems with clients connecting to servers and getting unexpected multi-line greetings? [Ned seems to think this would be fine, so maybe we don't worry here.] (2) this business of the client using something extended as its first command to signal to the server that it is fine seems fragile (3) the burden on the client of correctly caching the server's extensions at the right time doesn't seem to be clearly described: in one place it says the client uses its most recent cache, yet in another it says that the client can't use SMTP AUTH if the server didn't advertise it prior to TLS; the most recent cache is likely to be post-TLS. (4) why would a server advertise PIPELINING in the greeting yet not in an EHLO response? Or is there another reason the client can't assume PIPELINING if it sees it in the greeting yet issues an EHLO? If we do proceed with this, I'd suggest that it MUST NOT be used on port 25; it MUST be a port 587 mechanism only. This is because some servers have adopted anti-spam techniques that in some cases detect extra commands that are sent with the HELO/EHLO command (or otherwise look at client use of PIPELINING without having negotiated it). I'd suggest that, while logging of client IP address is useful, reverse DNS information may be misleading and is generally much less useful. They are certainly not equivalent. It is fairly trivial for someone to setup their own PTR entries for IP addresses they own, containing any host names they choose; even when no malice is intended, the reverse zone is the most likely to be misconfigured. > > > http://www.cus.cam.ac.uk/~fanf2/hermes/doc/antiforgery/draft-fanf-smtp-rcpthdr.txt > (0) How are malformed or unparseable To:/Cc:/Bcc: fields supposed to be > handled? There's no place to report such an error in the dialogue and > a DSN isn't designed to report such issues. > (1) How are problems with specific recipient addresses supposed to > be handled? If we do proceed with this draft, I'd suggest that malformed and unparseable address headers, as well as errors for a specific address, be handled by a new extended SMTP response code and including the bad address (or the entire header if it is bad) in square brackets in the text. This would have to be a response after end of data, of course. It's still a lot tricker for clients to get this right than an immediate error after the specific RCPT TO, but it's much, much, much better than accepting the message and generating a DSN. At 5:16 PM +0000 2/22/06, Tony Finch wrote: > On Wed, 22 Feb 2006, Dave Cridland wrote: > > > > > http://www.cus.cam.ac.uk/~fanf2/hermes/doc/antiforgery/draft-fanf-submission-streamlined.txt >> >> BURL doesn't allow clients to pipeline AUTH - that's just possible > > anyway with a server that supports PIPELINING. > > The BURL spec is the only document that gives permission to do it. This is something we could likely tighten up in profile-bis. > Pipelined QUIT is included in an example in RFC 2920. It shouldn't be a > problem if the client waits for all the server's responses. The client would pipeline QUIT and check the responses after the connection closes, right? I suppose we'd want an extension that said "if any RCPT is bad then please ignore any subsequent ones because I don't really want it sent even though it might seem so but that is just because I am pipelining everything". It would be the moral equivalent of the compiler flags to treat all warnings as errors. The client would include this new keyword on MAIL FROM (maybe ABORTONBADRCPT), the server would generate usual responses to every RCPT TO, then if any were bad, it would send a failure after end-of-data. > You can't reliably auto-detect plaintext SMTP (or IMAP) versus > TLS-on-connect on the same port, because there's a mismatch between who > talks first. If it was consistently the client that talked first then the > server could autodetect, but the SMTP or IMAP server banner prevents this. But the server can check before it sends the greeting to see if the client sent any data and if so if it is a TLS initiation, couldn't it? They way some servers now check if the client sent commands without waiting for the EHLO response? -- Randall Gellens Opinions are personal; facts are suspect; I speak for myself only -------------- Randomly-selected tag: --------------- Get your facts first, and then you can distort them as much as you please. --Mark Twain _______________________________________________ lemonade mailing list lemonade@ietf.org https://www1.ietf.org/mailman/listinfo/lemonade
- [lemonade] streamlined message submission Tony Finch
- Re: [lemonade] streamlined message submission Ned Freed
- Re: [lemonade] streamlined message submission Tony Finch
- Re: [lemonade] streamlined message submission Ned Freed
- Re: [lemonade] streamlined message submission Dave Cridland
- Re: [lemonade] streamlined message submission Antony Bowesman
- Re: [lemonade] streamlined message submission Ned Freed
- Re: [lemonade] streamlined message submission Tony Finch
- Re: [lemonade] streamlined message submission Tony Finch
- Re: [lemonade] streamlined message submission Dave Cridland
- Re: [lemonade] streamlined message submission Chris Newman
- [lemonade] Re: PIPELINING, AUTH, and CHUNKING Tony Finch
- [lemonade] Re: PIPELINING and failed recipients Tony Finch
- [lemonade] Re: PIPELINING and failed recipients Dave Cridland
- [lemonade] SMTP QUICKSTART Tony Finch
- Re: [lemonade] SMTP QUICKSTART Dave Cridland
- Re: [lemonade] SMTP QUICKSTART Tony Finch
- Re: [lemonade] SMTP QUICKSTART Tony Finch
- Re: [lemonade] SMTP QUICKSTART Chris Newman
- Re: [lemonade] SMTP QUICKSTART Mark Crispin
- Re: [lemonade] Re: PIPELINING, AUTH, and CHUNKING Chris Newman
- Re: [lemonade] SMTP QUICKSTART Ned Freed
- Re: [lemonade] Re: PIPELINING, AUTH, and CHUNKING Tony Finch
- Re: [lemonade] Re: PIPELINING, AUTH, and CHUNKING Alexey Melnikov
- Re: [lemonade] SMTP QUICKSTART Tony Finch
- Re: [lemonade] Re: PIPELINING, AUTH, and CHUNKING Tony Finch
- Re: [lemonade] Re: PIPELINING, AUTH, and CHUNKING Arnt Gulbrandsen
- Re: [lemonade] Re: PIPELINING, AUTH, and CHUNKING Rob Siemborski
- Re: [lemonade] SMTP QUICKSTART Tony Finch
- Re: [lemonade] SMTP QUICKSTART Dave Cridland
- Re: [lemonade] SMTP QUICKSTART Tony Finch
- Re: [lemonade] SMTP QUICKSTART Dave Cridland
- Re: [lemonade] SMTP QUICKSTART Tony Finch
- Re: [lemonade] streamlined message submission Randall Gellens
- Re: [lemonade] streamlined message submission Dave Cridland
- Re: [lemonade] streamlined message submission Tony Finch
- Re: [lemonade] streamlined message submission Randall Gellens
- [lemonade] Re: PIPELINING, AUTH, and CHUNKING Randall Gellens
- [lemonade] Re: PIPELINING, AUTH, and CHUNKING Randall Gellens
- [lemonade] Re: PIPELINING and failed recipients Randall Gellens
- Re: [lemonade] streamlined message submission Dave Cridland
- Re: [lemonade] streamlined message submission Ned Freed
- Re: [lemonade] streamlined message submission Dave Cridland
- [lemonade] Re: PIPELINING and failed recipients Robert A. Rosenberg
- Re: [lemonade] streamlined message submission Randall Gellens
- [lemonade] Re: PIPELINING and failed recipients Randall Gellens