Re: [yam] Interop problem: SMTP submission, STARTTLS, AUTH EXTERNAL

Tony Hansen <tony@att.com> Thu, 06 May 2010 12:42 UTC

Return-Path: <tony@att.com>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 601F83A6B49 for <yam@core3.amsl.com>; Thu, 6 May 2010 05:42:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.438
X-Spam-Level:
X-Spam-Status: No, score=-104.438 tagged_above=-999 required=5 tests=[AWL=-1.639, BAYES_50=0.001, J_CHICKENPOX_38=0.6, J_CHICKENPOX_48=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uo1IwCwySJnU for <yam@core3.amsl.com>; Thu, 6 May 2010 05:42:50 -0700 (PDT)
Received: from mail129.messagelabs.com (mail129.messagelabs.com [216.82.250.147]) by core3.amsl.com (Postfix) with ESMTP id 036CB3A6B60 for <yam@ietf.org>; Thu, 6 May 2010 05:41:39 -0700 (PDT)
X-VirusChecked: Checked
X-Env-Sender: tony@att.com
X-Msg-Ref: server-4.tower-129.messagelabs.com!1273149685!33212727!1
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [144.160.20.146]
Received: (qmail 4101 invoked from network); 6 May 2010 12:41:26 -0000
Received: from sbcsmtp7.sbc.com (HELO mlpd194.enaf.sfdc.sbc.com) (144.160.20.146) by server-4.tower-129.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 6 May 2010 12:41:26 -0000
Received: from enaf.sfdc.sbc.com (localhost.localdomain [127.0.0.1]) by mlpd194.enaf.sfdc.sbc.com (8.14.3/8.14.3) with ESMTP id o46Cf8BP031647 for <yam@ietf.org>; Thu, 6 May 2010 08:41:09 -0400
Received: from klpd017.kcdc.att.com (klpd017.kcdc.att.com [135.188.40.86]) by mlpd194.enaf.sfdc.sbc.com (8.14.3/8.14.3) with ESMTP id o46Cf41C031574 for <yam@ietf.org>; Thu, 6 May 2010 08:41:04 -0400
Received: from kcdc.att.com (localhost.localdomain [127.0.0.1]) by klpd017.kcdc.att.com (8.14.3/8.14.3) with ESMTP id o46CfKQk011938 for <yam@ietf.org>; Thu, 6 May 2010 07:41:21 -0500
Received: from maillennium.att.com (mailgw1.maillennium.att.com [135.25.114.99]) by klpd017.kcdc.att.com (8.14.3/8.14.3) with ESMTP id o46CfHli011908 for <yam@ietf.org>; Thu, 6 May 2010 07:41:17 -0500
Received: from [135.70.237.159] (vpn-135-70-237-159.vpn.east.att.com[135.70.237.159]) by maillennium.att.com (mailgw1) with ESMTP id <20100506124117gw100b8i2se> (Authid: tony); Thu, 6 May 2010 12:41:17 +0000
X-Originating-IP: [135.70.237.159]
Message-ID: <4BE2B8EC.8030201@att.com>
Date: Thu, 06 May 2010 08:41:16 -0400
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: yam@ietf.org
References: <4DE3D88239911A6791730051@96B2F16665FF96BAE59E9B90> <4BDD762E.5020606@tana.it>
In-Reply-To: <4BDD762E.5020606@tana.it>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [yam] Interop problem: SMTP submission, STARTTLS, AUTH EXTERNAL
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2010 12:42:51 -0000

I think this is totally an issue with AUTH EXTERNAL and worth mention in 
an update to that spec. However, I don't think it directly affects 4409bis.

Any other people's thoughts?

     Tony Hansen
     tony@att.com

On 5/2/2010 8:55 AM, Alessandro Vesely wrote:
> Chris Newman wrote:
>>
>> Option 1: relevant to YAM -- Clarify 4409 section 4.3 to state that 
>> providing client authentication during TLS does not constitute 
>> "independently established authentication" [...]
>>
>> Pros: [...] Consistent with IMAP+STARTTLS and POP+STARTTLS.
>
> Even if SUBMIT mandates authentication, it inherits the SMTP trust 
> model, which is different from that of IMAP and POP. Section 4.3 just 
> allows such compatibility. An historical trait.
>
>> Option 2: Incompatible change to RFC 3207 (SMTP STARTTLS) when an 
>> SMTP client provides a client certificate the server deems valid for 
>> authentication purposes, the server MUST enable the SASL EXTERNAL 
>> mechanism (advertising it in EHLO and allowing it in AUTH).  If the 
>> client issues "MAIL FROM" without issuing an AUTH command in this 
>> situation, the server MUST behave as if an implicit "AUTH EXTERNAL =" 
>> was issued by the client.
>
> This option may cause difficulties with the paragraph in rfc 4954 that 
> says
>
>  Restrictions:
>      After an AUTH command has been successfully completed, no more
>      AUTH commands may be issued in the same session.  After a
>      successful AUTH command completes, a server MUST reject any
>      further AUTH commands with a 503 reply.
>
> In case an implicit "AUTH EXTERNAL =" had been assumed by the server 
> when a previous transaction started, the client cannot repeat it for 
> the whole session. For an MTA, non-authenticated transactions are 
> allowed, so it may be unclear whether the server should assume it in 
> any case.
>
> I note that SMTP-AUTH does not allow a client to query its current 
> authentication state, nor to learn what authorizations such state 
> implies (e.g. relaying, specifying trusted AUTH parameters.) I think 
> the problem you describe results from that design.
>
> I'd agree if rfc4409bis will informatively mention that "AUTH EXTERNAL 
> =" may be used by a client to check the status of an independently 
> established authentication --in case the server has such mechanism. 
> Additionally, section 3.3 may want to mention client TLS certificates. 
> Would that bring any good?