Re: [Mailsec] Retaining CLIENTID type and token after successful AUTH ?
Michael Peddemors <michael@linuxmagic.com> Thu, 30 March 2023 22:32 UTC
Return-Path: <michael@linuxmagic.com>
X-Original-To: mailsec@ietfa.amsl.com
Delivered-To: mailsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61929C151B06 for <mailsec@ietfa.amsl.com>; Thu, 30 Mar 2023 15:32:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.104
X-Spam-Level:
X-Spam-Status: No, score=-1.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rbeAExeGEUwG for <mailsec@ietfa.amsl.com>; Thu, 30 Mar 2023 15:32:29 -0700 (PDT)
Received: from mail-ob3.cityemail.com (unknown [104.128.152.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229DCC1516FF for <mailsec@ietf.org>; Thu, 30 Mar 2023 15:32:23 -0700 (PDT)
Received: (qmail 238301 invoked from network); 30 Mar 2023 22:32:21 -0000
Received: from riddle.wizard.ca (HELO [192.168.1.55]) (michael@wizard.ca@104.128.144.8) by fe3.cityemail.com with (TLS_AES_128_GCM_SHA256 encrypted) SMTP (bc807ed6-cf4a-11ed-ab72-6387d60b0cac); Thu, 30 Mar 2023 15:32:21 -0700
Message-ID: <45ee1e8d-c9f7-d32d-787a-6b25e3a0a58c@linuxmagic.com>
Date: Thu, 30 Mar 2023 15:32:21 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
Content-Language: en-US
To: mailsec@ietf.org
References: <029a7a11-0043-5ff0-6464-23d73c489aaf@aitchison.me.uk>
From: Michael Peddemors <michael@linuxmagic.com>
Organization: LinuxMagic Inc.
In-Reply-To: <029a7a11-0043-5ff0-6464-23d73c489aaf@aitchison.me.uk>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-MagicMail-OS: Linux 2.2.x-3.x
X-MagicMail-UUID: bc807ed6-cf4a-11ed-ab72-6387d60b0cac
X-MagicMail-Authenticated: michael@wizard.ca
X-MagicMail-SourceIP: 104.128.144.8
X-MagicMail-RegexMatch: 0
X-MagicMail-EnvelopeFrom: <michael@linuxmagic.com>
X-Archive: Yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/mailsec/zAF4QRkuNSqnFD8SHscRaGK7o8k>
Subject: Re: [Mailsec] Retaining CLIENTID type and token after successful AUTH ?
X-BeenThere: mailsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Email Security Issues <mailsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mailsec>, <mailto:mailsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mailsec/>
List-Post: <mailto:mailsec@ietf.org>
List-Help: <mailto:mailsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mailsec>, <mailto:mailsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2023 22:32:33 -0000
On 2023-03-30 02:07, Andrew C Aitchison wrote: > > The last of the restrictions in section 4 is: > Several SMTP service extensions such as [AUTH] require that an > SMTP session be reset to an initial state under conditions > such as after applying a security layer. An SMTP server MUST > discard any CLIENTID information after such a reset. > > This text appears to be saying that once the AUTH has succeeded > the session MUST not have or make use of the CLIENTID information. > > Does that mean that I cannot separately rate-limit messages or recipients > between two sessions from the same user that have different CLIENTID > values ? > > In fact it appears that the only signal I can use to block one clientid > but not another is CLIENTID and AUTH attempts. When I notice that > clientid_1 is sending bad or too much mail, the AUTH has already happened > so the clientid is not available to put a block on just clientid_1, > so when the same user with clientid_2 attempts to send an email, they > will be blocked too ? > > Or am I misreading that restriction ? > Not quite.. Love having the extra pair of literal eyes. Very poorly worded there, this is just meant to be a confirmation, that when a 'SESSION' is reset, CLIENTID information needs to be forgotten, just like any other AUTH information. It's to ensure that the CLIENTID is able to be resent if for example two different AUTH happen on the same connection. Not that it is common for two AUTH to occur in the same connection, but some AUTH proxies might do that. Typically, this COULD happen where during the same connection, another EHLO is issued, or a change in STARTTLS.. This doesn't apply to two different sessions at all, but a single session, where a given VERB is issued, that triggers a reset. Thinking the terminology of 'session' throwing a mix in the works. (Yes, we run separate rate limiters too) But I should take a minute more to reread, just running into a meeting. You would never have two CLIENTID's active in the same connection, but you can have subsequent 'sessions' in the same connection, is that clearer.. We should point to the definitions of those terms, as defined in other RFC's at that point. -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
- [Mailsec] Retaining CLIENTID type and token after… Andrew C Aitchison
- Re: [Mailsec] Retaining CLIENTID type and token a… Michael Peddemors