Re: [Mailsec] CLIENTID and ESMTP and LMTP Transmission Types Registration
Michael Peddemors <michael@linuxmagic.com> Wed, 29 March 2023 14:36 UTC
Return-Path: <michael@linuxmagic.com>
X-Original-To: mailsec@ietfa.amsl.com
Delivered-To: mailsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 958A8C1526F4 for <mailsec@ietfa.amsl.com>; Wed, 29 Mar 2023 07:36:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDOl9t0rbpPK for <mailsec@ietfa.amsl.com>; Wed, 29 Mar 2023 07:36:51 -0700 (PDT)
Received: from mail-ob1.cityemail.com (mail-ob1.cityemail.com [104.128.152.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AB99C151B25 for <mailsec@ietf.org>; Wed, 29 Mar 2023 07:36:50 -0700 (PDT)
Received: (qmail 3600331 invoked from network); 29 Mar 2023 14:36:48 -0000
Received: from riddle.wizard.ca (HELO [192.168.1.55]) (michael@wizard.ca@104.128.144.8) by fe1.cityemail.com with (TLS_AES_128_GCM_SHA256 encrypted) SMTP (23259cf0-ce3f-11ed-8f17-c7c9a688b968); Wed, 29 Mar 2023 07:36:48 -0700
Message-ID: <1143caf9-a2e7-53b4-1d70-ee35ac69dd52@linuxmagic.com>
Date: Wed, 29 Mar 2023 07:36:48 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
Content-Language: en-US
To: mailsec@ietf.org
References: <2ee3e373-b207-2a02-15be-037ea826f66d@aitchison.me.uk>
From: Michael Peddemors <michael@linuxmagic.com>
Organization: LinuxMagic Inc.
In-Reply-To: <2ee3e373-b207-2a02-15be-037ea826f66d@aitchison.me.uk>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-MagicMail-OS: Linux 2.2.x-3.x
X-MagicMail-UUID: 23259cf0-ce3f-11ed-8f17-c7c9a688b968
X-MagicMail-Authenticated: michael@wizard.ca
X-MagicMail-SourceIP: 104.128.144.8
X-MagicMail-RegexMatch: 0
X-MagicMail-EnvelopeFrom: <michael@linuxmagic.com>
X-Archive: Yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/mailsec/d6RcpxdonAK1iN_vc3aL-4xKWwM>
Subject: Re: [Mailsec] CLIENTID and ESMTP and LMTP Transmission Types Registration
X-BeenThere: mailsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Email Security Issues <mailsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mailsec>, <mailto:mailsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mailsec/>
List-Post: <mailto:mailsec@ietf.org>
List-Help: <mailto:mailsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mailsec>, <mailto:mailsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 14:36:56 -0000
On 2023-03-29 05:00, Andrew C Aitchison wrote: > > On Tue, 28 Mar 2023, Michael Peddemors wrote: > >> On 2023-03-27 10:10, Andrew C Aitchison wrote: >> > >> > [ I am attempting to implement CLIENTID for Exim the MTA. ] >> > >> > https://www.rfc-editor.org/rfc/rfc3848 >> > added ESMTPA, ESMTPS, ESMTPSA, LMTP, LMTPA, LMTPS and LMTPSA >> > to SMTP and ESMTP for use in the "with" clause of a Received >> > header in an Internet message. >> > >> > Would we want CLIENTID to add to this list ? >> > My thought is that this would risk leaking information >> > which might allow a third party to infer facts about the >> > heuristics or rules used, so my guess is "no". >> > >> > If we *did* decide to add to this list, would ESMTPSC and ESMTPSCA >> > be sufficient, or do we want LMTPSC and LMTPSCA too ? > >> and since this is limited to authentication at this time, >> I don't see even where ESMTPS would be used, >> but someone else might have an argument for that use case. > > If > EHLO - STARTTLS - CLIENTID - MAIL FROM: > is valid, that would be ESMTPS rather than ESMTPSA. > > I suppose you could read that into Section 4, fifth restriction: > An SMTP client MUST issue any CLIENTID commands prior to > issuing an [AUTH] command. > but I had not read that as saying that an AUTH is required between > CLIENTID and MAIL FROM: (just that CLIENTID is not valid after AUTH). > > I see that your servers do reject that pattern, with > 501 Rejecting MAIL FROM, Return Sender address not accepted by policy > (#5.5.2) > but I don't see anything in the draft rfc that requires that rejection. > > Thanks, > Thanks.. ticketed for next draft update, be more clear on this topic, but CLIENTID is designed for authentication. EHLO->STARTTLS->CLIENTID->MAIL FROM 'technically' is allowed in this current iteration, but of course if AUTH is required that is separate from the CLIENTID interaction. It was left that way in case there is another form of authentication that is external, that we haven't considered, eg AUTH not required from a specific IP Address for example. Do you feel that the Draft should be more specific in this regard, and explicitly require AUTH after CLIENTID? (off topic, our servers would have failed you the same way even if you hadn't sent CLIENTID, given that the MAIL FROM is not an address an address this server is responsible for, and you are connecting to a SUBMISSION port, OR you are using an address that IS on this server, and you did NOT present AUTH before MAIL FROM) -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
- [Mailsec] CLIENTID and ESMTP and LMTP Transmissio… Andrew C Aitchison
- Re: [Mailsec] CLIENTID and ESMTP and LMTP Transmi… Michael Peddemors
- Re: [Mailsec] CLIENTID and ESMTP and LMTP Transmi… Andrew C Aitchison
- Re: [Mailsec] CLIENTID and ESMTP and LMTP Transmi… Andrew C Aitchison
- Re: [Mailsec] CLIENTID and ESMTP and LMTP Transmi… Michael Peddemors