Re: [Mailsec] CLIENTID with PIPELINING

Michael Peddemors <michael@linuxmagic.com> Wed, 15 March 2023 15:25 UTC

Return-Path: <michael@linuxmagic.com>
X-Original-To: mailsec@ietfa.amsl.com
Delivered-To: mailsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C467C14CF1D for <mailsec@ietfa.amsl.com>; Wed, 15 Mar 2023 08:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RuU-NJI8yfZT for <mailsec@ietfa.amsl.com>; Wed, 15 Mar 2023 08:25:32 -0700 (PDT)
Received: from mail-ob1.cityemail.com (mail-ob1.cityemail.com [104.128.152.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49520C14CEF9 for <mailsec@ietf.org>; Wed, 15 Mar 2023 08:25:31 -0700 (PDT)
Received: (qmail 839081 invoked from network); 15 Mar 2023 15:25:29 -0000
Received: from riddle.wizard.ca (HELO [192.168.1.55]) (michael@wizard.ca@104.128.144.8) by fe1.cityemail.com with (TLS_AES_128_GCM_SHA256 encrypted) SMTP (9e3d21ec-c345-11ed-a7e8-4f073364bf82); Wed, 15 Mar 2023 08:25:29 -0700
Message-ID: <8d2e5b59-9956-b842-4990-96d4f0e419d9@linuxmagic.com>
Date: Wed, 15 Mar 2023 08:25:29 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
Content-Language: en-US
To: mailsec@ietf.org
References: <05fa891e-7243-eb2a-d2cc-20c08ca5bbe8@aitchison.me.uk>
From: Michael Peddemors <michael@linuxmagic.com>
Organization: LinuxMagic Inc.
In-Reply-To: <05fa891e-7243-eb2a-d2cc-20c08ca5bbe8@aitchison.me.uk>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-MagicMail-OS: Linux 2.2.x-3.x
X-MagicMail-UUID: 9e3d21ec-c345-11ed-a7e8-4f073364bf82
X-MagicMail-Authenticated: michael@wizard.ca
X-MagicMail-SourceIP: 104.128.144.8
X-MagicMail-RegexMatch: 0
X-MagicMail-EnvelopeFrom: <michael@linuxmagic.com>
X-Archive: Yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/mailsec/LEpNVIZgtmCDNm42uMmRsFPFS0c>
Subject: Re: [Mailsec] CLIENTID with PIPELINING
X-BeenThere: mailsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Email Security Issues <mailsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mailsec>, <mailto:mailsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mailsec/>
List-Post: <mailto:mailsec@ietf.org>
List-Help: <mailto:mailsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mailsec>, <mailto:mailsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2023 15:25:36 -0000

On 2023-03-15 07:52, Andrew C Aitchison wrote:
> 
> I am attempting to implement CLIENTID for Exim.
> 
> draft-storey-smtp-client-id-14.txt does not mention pipelining.
> 
> Would it be reasonable for the next draft to make a statement about
> whether or not CLIENTID can be pipelined and/or must be synchronised ?
> 
> The Exim code  has:
> 
> /* RFC3030 section 2: "After all MAIL and RCPT responses are collected
>    and processed the message is sent using a series of BDAT commands"
>    implies that BDAT should be synchronised.  However, we see Google,
>    at least, sending MAIL,RCPT,BDAT-LAST in a single packet, clearly
>    not waiting for processing of the RCPT response(s).  We shall do the
>    same, and not require synch for BDAT.  Worse, as the chunk may (very
>    likely will) follow the command-header in the same packet we cannot
>    do the usual "is there any follow-on data after the command line"
>    even for non-pipeline mode.  So we'll need an explicit check after
>    reading the expected chunk amount when non-pipe, before sending the
>    ACK. */
> 
> Mad as it may be, Exim also accepts AUTH *when pipelining* - the code has
>    /* I have been unable to find a statement about the use of pipelining
>    with AUTH, so to be on the safe side it is here [in the list of
>    non-sync commands when not pipelining], though I kind of feel
>    it should be up there with the synchronized commands. */
> 
> Presumably STARTTLS and CLIENTID commands cannot be sent together,
> since the CLIENTID must be encrypted, but
> I would like to at least to know whether or not it is valid
> for the CLIENTID and AUTH commands to be sent together.
> 
> As the Exim comments show,
> if the RFC doesn't forbid it, developers have to allow for it.
> 
> Thanks,
> 


NOTED: Will add discussion of PIPELINE into the next update of the 
draft, but in my humble opinion, when advertising CLIENTID support, it 
should NOT advertise PIPELINE support, I would expect that most 
implementations would do some validation of the data received during 
CLIENTID, and reject obvious data that fails to pass RFC validation, 
however it MAY be that an implementer might choose to continue on, and 
simply ignore the bad data, and treat it as if the CLIENTID was never 
presented.  Not that I personally think that would be a good idea.

If anyone has an opinion why PIPELINE should be supported during AUTH, 
would also like to hear about it, but with most modern MTA's they do 
sufficient inline checks that PIPELINE and AUTH are not happy companions.


-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.