Re: [Mailsec] CLIENTID with PIPELINING

[Michael Peddemors <michael@linuxmagic.com>]

On 2023-03-15 07:52, Andrew C Aitchison wrote:
> 
> I am attempting to implement CLIENTID for Exim.
> 
> draft-storey-smtp-client-id-14.txt does not mention pipelining.
> 
> Would it be reasonable for the next draft to make a statement about
> whether or not CLIENTID can be pipelined and/or must be synchronised ?
> 
> The Exim code  has:
> 
> /* RFC3030 section 2: "After all MAIL and RCPT responses are collected
>    and processed the message is sent using a series of BDAT commands"
>    implies that BDAT should be synchronised.  However, we see Google,
>    at least, sending MAIL,RCPT,BDAT-LAST in a single packet, clearly
>    not waiting for processing of the RCPT response(s).  We shall do the
>    same, and not require synch for BDAT.  Worse, as the chunk may (very
>    likely will) follow the command-header in the same packet we cannot
>    do the usual "is there any follow-on data after the command line"
>    even for non-pipeline mode.  So we'll need an explicit check after
>    reading the expected chunk amount when non-pipe, before sending the
>    ACK. */
> 
> Mad as it may be, Exim also accepts AUTH *when pipelining* - the code has
>    /* I have been unable to find a statement about the use of pipelining
>    with AUTH, so to be on the safe side it is here [in the list of
>    non-sync commands when not pipelining], though I kind of feel
>    it should be up there with the synchronized commands. */
> 
> Presumably STARTTLS and CLIENTID commands cannot be sent together,
> since the CLIENTID must be encrypted, but
> I would like to at least to know whether or not it is valid
> for the CLIENTID and AUTH commands to be sent together.
> 
> As the Exim comments show,
> if the RFC doesn't forbid it, developers have to allow for it.
> 
> Thanks,
> 


NOTED: Will add discussion of PIPELINE into the next update of the 
draft, but in my humble opinion, when advertising CLIENTID support, it 
should NOT advertise PIPELINE support, I would expect that most 
implementations would do some validation of the data received during 
CLIENTID, and reject obvious data that fails to pass RFC validation, 
however it MAY be that an implementer might choose to continue on, and 
simply ignore the bad data, and treat it as if the CLIENTID was never 
presented.  Not that I personally think that would be a good idea.

If anyone has an opinion why PIPELINE should be supported during AUTH, 
would also like to hear about it, but with most modern MTA's they do 
sufficient inline checks that PIPELINE and AUTH are not happy companions.


-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.