Re: [yam] Interop problem: SMTP submission, STARTTLS, AUTH EXTERNAL

Alessandro Vesely <> Sun, 02 May 2010 12:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 969343A698E for <>; Sun, 2 May 2010 05:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.759
X-Spam-Status: No, score=-3.759 tagged_above=-999 required=5 tests=[AWL=-2.840, BAYES_50=0.001, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, J_CHICKENPOX_38=0.6, J_CHICKENPOX_48=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZnpZ8U5OYDXa for <>; Sun, 2 May 2010 05:54:45 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4E5363A69E9 for <>; Sun, 2 May 2010 05:54:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=test; t=1272804864; bh=jYajmKcNLHYeUGldWTc5BiLZoj4tUuutvN+SI4LWM6M=; l=2155; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Content-Transfer-Encoding; b=DLYPfNRQx9uBDXA5xGultzoGkbUJ6evHkQta+1BbsT6qth11zXmGkPEXZSODEMu/c tw/hv56uJl6du1eMdI32/d48UksNW5dQqQUIB1PlCB6M85a9+0Z8U9hY23Sr08VQ6r xlRwO5p1j0Y2vTDAro4EgOAJtO7atm2NEAPR2dUo=
Received: from mach-4.local ( []) (AUTH: CRAM-MD5 515, TLS: TLS1.0,256bits,RSA_AES_256_CBC_SHA1) by with ESMTPSA; Sun, 02 May 2010 14:54:24 +0200 id 00000000005DC035.000000004BDD7600.00001D6B
Message-ID: <>
Date: Sun, 02 May 2010 14:55:10 +0200
From: Alessandro Vesely <>
User-Agent: Thunderbird (Macintosh/20100228)
MIME-Version: 1.0
References: <4DE3D88239911A6791730051@96B2F16665FF96BAE59E9B90>
In-Reply-To: <4DE3D88239911A6791730051@96B2F16665FF96BAE59E9B90>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [yam] Interop problem: SMTP submission, STARTTLS, AUTH EXTERNAL
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 02 May 2010 12:54:46 -0000

Chris Newman wrote:
> Option 1: relevant to YAM -- Clarify 4409 section 4.3 to state that 
> providing client authentication during TLS does not constitute 
> "independently established authentication" [...]
> Pros: [...] Consistent with IMAP+STARTTLS and POP+STARTTLS.

Even if SUBMIT mandates authentication, it inherits the SMTP trust 
model, which is different from that of IMAP and POP. Section 4.3 
just allows such compatibility. An historical trait.

> Option 2: Incompatible change to RFC 3207 (SMTP STARTTLS) when an SMTP 
> client provides a client certificate the server deems valid for 
> authentication purposes, the server MUST enable the SASL EXTERNAL 
> mechanism (advertising it in EHLO and allowing it in AUTH).  If the 
> client issues "MAIL FROM" without issuing an AUTH command in this 
> situation, the server MUST behave as if an implicit "AUTH EXTERNAL =" 
> was issued by the client.

This option may cause difficulties with the paragraph in rfc 4954 
that says

      After an AUTH command has been successfully completed, no more
      AUTH commands may be issued in the same session.  After a
      successful AUTH command completes, a server MUST reject any
      further AUTH commands with a 503 reply.

In case an implicit "AUTH EXTERNAL =" had been assumed by the server 
when a previous transaction started, the client cannot repeat it for 
the whole session. For an MTA, non-authenticated transactions are 
allowed, so it may be unclear whether the server should assume it in 
any case.

I note that SMTP-AUTH does not allow a client to query its current 
authentication state, nor to learn what authorizations such state 
implies (e.g. relaying, specifying trusted AUTH parameters.) I think 
the problem you describe results from that design.

I'd agree if rfc4409bis will informatively mention that "AUTH 
EXTERNAL =" may be used by a client to check the status of an 
independently established authentication --in case the server has 
such mechanism. Additionally, section 3.3 may want to mention client 
TLS certificates. Would that bring any good?