Re: [yam] Interop problem: SMTP submission, STARTTLS, AUTH EXTERNAL

Chris Newman <chris.newman@oracle.com> Thu, 06 May 2010 15:56 UTC

Return-Path: <chris.newman@oracle.com>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2CD623A6B98 for <yam@core3.amsl.com>; Thu, 6 May 2010 08:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.037
X-Spam-Level:
X-Spam-Status: No, score=-0.037 tagged_above=-999 required=5 tests=[AWL=2.809, BAYES_50=0.001, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_54=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y+9AqkjwHsOJ for <yam@core3.amsl.com>; Thu, 6 May 2010 08:56:32 -0700 (PDT)
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by core3.amsl.com (Postfix) with ESMTP id BDBD83A6C6E for <yam@ietf.org>; Thu, 6 May 2010 08:46:34 -0700 (PDT)
Received: from fe-amer-09.sun.com ([192.18.109.79]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id o46FkLJW002105 for <yam@ietf.org>; Thu, 6 May 2010 15:46:21 GMT
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-disposition: inline
Content-type: text/plain; CHARSET=US-ASCII; format=flowed
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0L2000800905GU00@mail-amer.sun.com> for yam@ietf.org; Thu, 06 May 2010 09:46:21 -0600 (MDT)
Received: from [192.168.15.3] ([unknown] [71.95.174.34]) by mail-amer.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0L2000H4P957TY40@mail-amer.sun.com>; Thu, 06 May 2010 09:46:21 -0600 (MDT)
Date: Thu, 06 May 2010 08:45:41 -0700
From: Chris Newman <chris.newman@oracle.com>
In-reply-to: <alpine.BSF.2.00.1005061043150.26027@joyce.lan>
Sender: Chris.Newman@Sun.COM
To: "John R. Levine" <johnl@iecc.com>, Tony Hansen <tony@att.com>
Message-id: <4BD612FD062FFBA59BA683A8@96B2F16665FF96BAE59E9B90>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
References: <4DE3D88239911A6791730051@96B2F16665FF96BAE59E9B90> <4BDD762E.5020606@tana.it> <4BE2B8EC.8030201@att.com> <alpine.BSF.2.00.1005061043150.26027@joyce.lan>
Cc: yam@ietf.org
Subject: Re: [yam] Interop problem: SMTP submission, STARTTLS, AUTH EXTERNAL
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2010 15:56:33 -0000

--On May 6, 2010 10:44:37 -0400 "John R. Levine" <johnl@iecc.com> wrote:
>> I think this is totally an issue with AUTH EXTERNAL and worth mention in
>> an  update to that spec. However, I don't think it directly affects
>> 4409bis.
>>
>> Any other people's thoughts?

I respectfully disagree that this is an AUTH-only problem.  It is a problem 
that impacts implementations of SMTP+Submission+STARTTLS (without AUTH), 
smtps (without AUTH), SMTP+Submission+AUTH+STARTTLS and smtps+AUTH. 
Unfortunately the only protocol specification we have that applies to all 
four problem scenarios is RFC 4409 (its application to smtps is by virtue 
of the fact smtps is only used for submission because it can't be an MX 
target).

> Agreed.  Honestly, I don't understand what problem AUTH EXTERNAL is
> supposed to solve.  In the software I'm familiar with, any auth-age that
> AUTH EXTERNAL might do happens automatically, whether the client asks for
> it or not.

AUTH EXTERNAL solves two problems.

First, for protocols with an explicit state model (e.g. POP3 and IMAP4), it 
causes a state change from the not-authenticated state where the protocol 
starts to the authenticated state.  The state model is actually very 
helpful when writing security-sensitive software as the threat-surface of 
the protocol can be significantly reduced when in the not-authenticated 
state.  Having as few protocol commands as possible actually trigger a 
state change makes it simpler to verify correct implementation.  SMTP 
doesn't get this benefit as long as we support legacy submission, but 
Submission port 587 can have this benefit.

Second, AUTH EXTERNAL (or more specifically the SASL authorization ID 
feature present in mulitple SASL mechanisms) allows a feature I like to 
call "administrative proxy authentication" where an administrator or more 
likely an automated tool will use administrative credentials to 
authenticate as a specific user.  For example, in a unified messaging 
system the voice mail system may wish to clear the "seen" flag for the 
voice mail in a user's INBOX after it has played that information to the 
user over a telephone interface.  Arguably, the AUTH= parameter in the SMTP 
AUTH spec provides an alternative and perhaps better mechanism to do this 
for SMTP, although I've seen implementations that (incorrectly) claimed to 
implement SMTP AUTH and failed to implement the AUTH= parameter.

So I will accept an argument that AUTH EXTERNAL provides little value 
specifically to SMTP (beyond and explicit protocol indication that the 
client certificate was acceptable for SMTP-level authentication to the 
server, something that helps the client to produce better end-user 
diagnostics), which is why I proposed option 2.  But I do consider AUTH 
EXTERNAL an important mechanism in general.

		- Chris