Re: [Mailsec] CLIENTID with PIPELINING
Michael Peddemors <michael@linuxmagic.com> Thu, 16 March 2023 15:42 UTC
Return-Path: <michael@linuxmagic.com>
X-Original-To: mailsec@ietfa.amsl.com
Delivered-To: mailsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4191C14CEFA for <mailsec@ietfa.amsl.com>; Thu, 16 Mar 2023 08:42:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5AqL7It7kZz for <mailsec@ietfa.amsl.com>; Thu, 16 Mar 2023 08:42:45 -0700 (PDT)
Received: from mail-ob1.cityemail.com (mail-ob1.cityemail.com [104.128.152.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1AA2C1516F8 for <mailsec@ietf.org>; Thu, 16 Mar 2023 08:42:45 -0700 (PDT)
Received: (qmail 1466890 invoked from network); 16 Mar 2023 15:42:44 -0000
Received: from riddle.wizard.ca (HELO [192.168.1.55]) (michael@wizard.ca@104.128.144.8) by fe1.cityemail.com with (TLS_AES_128_GCM_SHA256 encrypted) SMTP (3152b228-c411-11ed-946b-077c1e37523e); Thu, 16 Mar 2023 08:42:44 -0700
Message-ID: <5f8664e6-8a08-b79d-5454-1eeda01a1da4@linuxmagic.com>
Date: Thu, 16 Mar 2023 08:42:43 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
Content-Language: en-US
To: mailsec@ietf.org
References: <9248d705-0292-1f69-0fb6-8918f1775d89@aitchison.me.uk>
From: Michael Peddemors <michael@linuxmagic.com>
Organization: LinuxMagic Inc.
In-Reply-To: <9248d705-0292-1f69-0fb6-8918f1775d89@aitchison.me.uk>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-MagicMail-OS: Linux 2.2.x-3.x
X-MagicMail-UUID: 3152b228-c411-11ed-946b-077c1e37523e
X-MagicMail-Authenticated: michael@wizard.ca
X-MagicMail-SourceIP: 104.128.144.8
X-MagicMail-RegexMatch: 0
X-MagicMail-EnvelopeFrom: <michael@linuxmagic.com>
X-Archive: Yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/mailsec/Z8_LIevsUz1dY0mEih4qMCU-jZc>
Subject: Re: [Mailsec] CLIENTID with PIPELINING
X-BeenThere: mailsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Email Security Issues <mailsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mailsec>, <mailto:mailsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mailsec/>
List-Post: <mailto:mailsec@ietf.org>
List-Help: <mailto:mailsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mailsec>, <mailto:mailsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2023 15:42:51 -0000
On 2023-03-15 15:37, Andrew C Aitchison wrote: > > [ Apologies if this doesn't thread properly. > My MUA doesn't have access to the message to which I am replying. ] > > Michael Peddemors: >> in my humble opinion, when advertising CLIENTID support, it >> should NOT advertise PIPELINE support > > I have options for each of PIPELINE, PIPECONNECT* and CLIENTID > just to advertise to selected hosts (default *) > but how else could I determine which to use ? > Two options I can see: > 1 prefer PIPELINE in plain and CLIENTID when encrypted, or > 2 CLIENTID in SUBMISSIONS (port 465) but PIPELINE on port 25 ? > Any other thoughts ? > Of course, CLIENTID MUST be only over encrypted channels. And while some operators may still allow authentication over port 25, as an industry we treat that as historical, and only allow authentication over port 465 (SSL) or 587 (TLS) Suggest that you ONLY support CLIENTID on the submission ports. Recommend that you only advertise PIPELINE on port 25, if you choose to do so. While MTA's might have a reason NOT to advertise PIPELINE any more, there are still use cases (eg internal relays etc) that are not affected by PIPELINE. IMHO, PIPELINE advertisement should not be on by default, but that is another topic. More feedback by the Exim community might be in order, but as to CLIENTID, suggest you ONLY advertise CLIENTID on 465/587 by default, and ONLY if the connection is encrypted. (Some MTA's out there still allow submission over port 587, with STARTTLS optional) -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
- [Mailsec] CLIENTID with PIPELINING Andrew C Aitchison
- Re: [Mailsec] CLIENTID with PIPELINING Michael Peddemors
- Re: [Mailsec] CLIENTID with PIPELINING Andrew C Aitchison
- Re: [Mailsec] CLIENTID with PIPELINING Michael Peddemors