[Mailsec] Retaining CLIENTID type and token after successful AUTH ?
Andrew C Aitchison <andrew@aitchison.me.uk> Thu, 30 March 2023 09:07 UTC
Return-Path: <andrew@aitchison.me.uk>
X-Original-To: mailsec@ietfa.amsl.com
Delivered-To: mailsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7216C15AE03 for <mailsec@ietfa.amsl.com>; Thu, 30 Mar 2023 02:07:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aitchison.me.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d_vnHoEbPxUy for <mailsec@ietfa.amsl.com>; Thu, 30 Mar 2023 02:07:53 -0700 (PDT)
Received: from mx1.mythic-beasts.com (mx1.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9144AC15C28C for <mailsec@ietf.org>; Thu, 30 Mar 2023 02:07:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aitchison.me.uk; s=mythic-beasts-k1; h=Subject:To:From:Date; bh=PUxj74HtArtm3PjCiexKmBHogKdAiDAnYNY9NmRMzxs=; b=R/zp6cEA9PYIAozquP6CgN0eYV xcMNy+xRR46NyAUE28N4c/Px1NufMKVbUzfdrG8aWjUioG+wz+Qgdktp/c+hgjWKeVY3rOQzdyBD6 R6/U19yDCSP1xNbFsCXuCrq0mKhQSZMJTIsAODBHdEpMk+7XEpWlB9xF21csCf/wNt3TiIakv46Bb uEYoQFhrXlFywvbimnyZJUQgQ9RswRwU8GsLxK8sOWJnfpAYYipyIZoqNb7ttfqtqWr0JY9F7WQ1o Jtzqa8M6owcc4huIPkGWwNvSB53PMfw0IuRfEScOMhmwZ6jKyYcVjlkO4R/ZgExpevWpnHMBalP9H ge7Vr3WA==;
Received: by mailhub-cam-d.mythic-beasts.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <andrew@aitchison.me.uk>) id 1phoG5-006KlD-Rx for mailsec@ietf.org; Thu, 30 Mar 2023 10:07:50 +0100
Date: Thu, 30 Mar 2023 10:07:43 +0100
From: Andrew C Aitchison <andrew@aitchison.me.uk>
To: mailsec@ietf.org
Message-ID: <029a7a11-0043-5ff0-6464-23d73c489aaf@aitchison.me.uk>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
X-BlackCat-Spam-Score: 14
Archived-At: <https://mailarchive.ietf.org/arch/msg/mailsec/zW_IHnxgVG-AD1ZShptFqi_7Iww>
Subject: [Mailsec] Retaining CLIENTID type and token after successful AUTH ?
X-BeenThere: mailsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Email Security Issues <mailsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mailsec>, <mailto:mailsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mailsec/>
List-Post: <mailto:mailsec@ietf.org>
List-Help: <mailto:mailsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mailsec>, <mailto:mailsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2023 09:07:57 -0000
The last of the restrictions in section 4 is:
Several SMTP service extensions such as [AUTH] require that an
SMTP session be reset to an initial state under conditions
such as after applying a security layer. An SMTP server MUST
discard any CLIENTID information after such a reset.
This text appears to be saying that once the AUTH has succeeded
the session MUST not have or make use of the CLIENTID information.
Does that mean that I cannot separately rate-limit messages or recipients
between two sessions from the same user that have different CLIENTID values ?
In fact it appears that the only signal I can use to block one clientid
but not another is CLIENTID and AUTH attempts. When I notice that
clientid_1 is sending bad or too much mail, the AUTH has already happened
so the clientid is not available to put a block on just clientid_1,
so when the same user with clientid_2 attempts to send an email, they
will be blocked too ?
Or am I misreading that restriction ?
--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
- [Mailsec] Retaining CLIENTID type and token after… Andrew C Aitchison
- Re: [Mailsec] Retaining CLIENTID type and token a… Michael Peddemors