Re: POP handling commands given in wrong state
Paul Smith <paul@pscs.co.uk> Wed, 27 July 2011 08:51 UTC
Received: from hoffman.proper.com (localhost [127.0.0.1]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p6R8pATC055982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Jul 2011 01:51:11 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by hoffman.proper.com (8.14.4/8.13.5/Submit) id p6R8pAO1055981; Wed, 27 Jul 2011 01:51:10 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: hoffman.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from mail.pscs.co.uk (mail.pscs.co.uk [46.20.224.92]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p6R8p7ut055975 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pop3ext@imc.org>; Wed, 27 Jul 2011 01:51:09 -0700 (MST) (envelope-from prvs=0189A3A045=paul@pscs.co.uk)
Received: from lmail.pscs.co.uk ([217.155.61.14]) by mail.pscs.co.uk ([46.20.224.92] running VPOP3) with ESMTP; Wed, 27 Jul 2011 09:49:56 +0100
Received: from [192.168.66.100] ([192.168.66.100]) by lmail.pscs.co.uk ([192.168.66.70] running VPOP3) with ESMTP; Wed, 27 Jul 2011 09:49:53 +0100
Message-ID: <4E2FD131.3020406@pscs.co.uk>
Date: Wed, 27 Jul 2011 09:49:53 +0100
From: Paul Smith <paul@pscs.co.uk>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.18) Gecko/20110616 Lightning/1.0b2 Thunderbird/3.1.11
MIME-Version: 1.0
To: Mykyta Yevstifeyev <evnikita2@gmail.com>
CC: ietf-pop3ext@imc.org, Alexey Melnikov <alexey.melnikov@isode.com>
Subject: Re: POP handling commands given in wrong state
References: <4E2E49AC.9090207@gmail.com> <4E2E7708.3080004@pscs.co.uk> <4E2E8762.5030805@gmail.com> <4E2E8E10.9070209@pscs.co.uk> <4E2EBEC5.1000306@gmail.com> <4E2EC1E0.7010504@pscs.co.uk> <4E2F9AA7.80901@gmail.com>
In-Reply-To: <4E2F9AA7.80901@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: paul
X-Server: VPOP3 Enterprise V4.0.0e - Registered
X-Organisation: Paul Smith Computer Services
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>
On 27/07/2011 05:57, Mykyta Yevstifeyev wrote: >> Hmm, I think if you are talking about existing implementations using >> a deprecated system, then trying to alter the behaviour of them is >> unlikely to achieve anything... > I wouldn't say it is deprecated; POP-over-TLS is used even more often > that STLS, as I've already mentioned. We're trying to give it the > official documentation and set the standard behavior of the server/client. It is 'discouraged' then. Also, because, as of now, there is no standards track document saying how POP3-over-TLS should work, I think you can safely call it non-standard. Non-standard + 'discouraged' + a better standardised option = seems to suggest that no one should be starting to use that system now... There is no good reason to use POP3-over-TLS instead of STLS, so I think it needs to be made clear that POP3-over-TLS is second-best compared to STLS (as someone who's implemented both, I found STLS a lot easier than POP3-over-TLS to implement). If you are trying to specify what future servers who want to use this 'discouraged' system should do, then simply say they must start up in the authorization stage after the TLS session has been started (just as with STLS). Anything else is too far from the POP3 standard, and as Randall said 'magic'. I am not aware of any 'well known' POP3 clients which will skip the authorization stage, so any server which requires this must just be used for 'internal' use, and thus not really relevant for standards. Internal use servers can do anything they want so these aren't doing 'POP3-over-TLS', they're doing 'almost-POP3-over-TLS' which is fine for internal use. The only reason to do a POP3-over-TLS implementation nowadays should be to allow compatibility with some popular old software which doesn't support STLS. AFAIK, that is essentially old versions of Outlook/Outlook Express - those use USER/PASS after connecting over TLS. I strongly feel that the POP3 session should start in the authorization stage, as understood by everyone who uses a standardised POP3 service (ie one where the developer has read RFC 1939). So, USER/AUTH/APOP is needed as one of the first commands after connecting. As Randall suggested, use SASL EXTERNAL if you want (isn't this the whole point of SASL EXTERNAL?), but you should need an AUTH. What's the problem with needing that? > In our case the AUTHORIZATION is safely replaced by TLS negotiation. > It also happens directly after TCP connection, but skipping the > greeting, which is replaced by TLS ServerHello message. Which is breaking the POP3 standard, because the greeting is specified as a 'one line [text] greeting' >> If you are just wanting to document existing behaviour, then this >> doesn't matter, as neither the extended response nor standard >> compliant behaviour is possible. > But if we try to unify all existing behavior, this will be great, > won't it? Well, what would be great IMHO would be to destroy all POP3-over-TLS implementations... They should never have been done in the first place! But, failing that, it's fairly obvious the 'most correct' implementation is to do it as Gmail, Thunderbird, etc, etc have done, and have it as normal RFC 1939 but with a TLS 'wrapper' around the session. The 'broken' implementation of not needing AUTH after session establishment is the one that needs to be fixed somehow. Either you kludge it by having some mechanism that the client needs to understand for the server to say 'I'm in the wrong state now', or you fix it properly by having the server enter AUTHORIZATION state.
- Re: POP handling commands given in wrong state Mykyta Yevstifeyev
- Re: POP handling commands given in wrong state Chris Newman
- Re: POP handling commands given in wrong state Mykyta Yevstifeyev
- Re: POP handling commands given in wrong state Paul Smith
- Re: POP handling commands given in wrong state Mykyta Yevstifeyev
- Re: POP handling commands given in wrong state Mykyta Yevstifeyev
- Re: POP handling commands given in wrong state Randall Gellens
- Re: POP handling commands given in wrong state Randall Gellens
- Re: POP handling commands given in wrong state Randall Gellens
- Re: POP handling commands given in wrong state Paul Smith
- Re: POP handling commands given in wrong state Paul Smith
- Re: POP handling commands given in wrong state Randall Gellens
- Re: POP handling commands given in wrong state Mykyta Yevstifeyev
- Re: POP handling commands given in wrong state Paul Smith
- Re: POP handling commands given in wrong state Mykyta Yevstifeyev
- Re: POP handling commands given in wrong state Paul Smith
- POP handling commands given in wrong state Mykyta Yevstifeyev
- Re: Fwd: I-D Action: draft-yevstifeyev-pop-wrong-… Paul Smith
- Re: Fwd: I-D Action: draft-yevstifeyev-pop-wrong-… Mykyta Yevstifeyev
- Re: Fwd: I-D Action: draft-yevstifeyev-pop-wrong-… Chris Newman
- Re: Fwd: I-D Action: draft-yevstifeyev-pop-wrong-… Mykyta Yevstifeyev
- Re: Fwd: I-D Action: draft-yevstifeyev-pop-wrong-… Chris Newman
- Re: POP handling commands given in wrong state Alexey Melnikov
- Fwd: I-D Action: draft-yevstifeyev-pop-wrong-stat… Mykyta Yevstifeyev