SM | 1 Feb 14:18 2009
Picon

Re: STARTTLS & EHLO: Errata text?


At 13:37 31-01-2009, Hector Santos wrote:
>So the one question I did have was the response code from the 
>server.  As shown, the server issued 550. It was something:
>
>    [TLS established]
>    C: MAIL FROM <xxxx>
>    S: 550 EHLO/HELO required.
>
>Shouldn't the server response be 503 (Bad Sequence of commands)?

That would be a 503 as the SMTP session is reset to the initial state 
upon completion of the TLS handshake.

>If so, should this be stated in the revised text?

This is about SMTP.

Regards,
-sm 

Tony Finch | 1 Feb 18:14 2009
Picon

Re: STARTTLS & EHLO: Errata text?


On Sat, 31 Jan 2009, Hector Santos wrote:
>
> So the one question I did have was the response code from the server.  As
> shown, the server issued 550. It was something:
>
>    [TLS established]
>    C: MAIL FROM <xxxx>
>    S: 550 EHLO/HELO required.
>
> Shouldn't the server response be 503 (Bad Sequence of commands)?

Probably. The server in question (Exim) does not have this check
hard-coded. Instead, it has a very general-purpose "ACL" facility for
scripting SMTP-time checks. This allows admins to implemnt all sorts of
things, including checking that HELO or EHLO has been issued before a MAIL
transaction - which is in fact one of the more popular checks. Hence the
response code is a 550 policy failure code rather than something relating
more directly to the SMTP state machine.

> If so, should this be stated in the revised text?

Not in 3207 - this requirement is inherited from 5321.

Tony.
--

-- 
f.anthony.n.finch  <dot <at> dotat.at>  http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.

(Continue reading)

John C Klensin | 1 Feb 18:49 2009

Re: STARTTLS & EHLO: Errata text?


--On Sunday, February 01, 2009 17:14 +0000 Tony Finch
<dot <at> dotat.at> wrote:

> 
> On Sat, 31 Jan 2009, Hector Santos wrote:
>> 
>> So the one question I did have was the response code from the
>> server.  As shown, the server issued 550. It was something:
>> 
>>    [TLS established]
>>    C: MAIL FROM <xxxx>
>>    S: 550 EHLO/HELO required.
>> 
>> Shouldn't the server response be 503 (Bad Sequence of
>> commands)?
>... 
>> If so, should this be stated in the revised text?
> 
> Not in 3207 - this requirement is inherited from 5321.

IMO, that requirement, and the use of the codes, is perfectly
clear in 5321 (at least to anyone who bothers to read it).  If
someone disagrees, please send text.

    john

Hector Santos | 1 Feb 20:49 2009

Re: STARTTLS & EHLO: Errata text?


John C Klensin wrote:
> 
> 
> --On Sunday, February 01, 2009 17:14 +0000 Tony Finch
> <dot <at> dotat.at> wrote:
> 
>> On Sat, 31 Jan 2009, Hector Santos wrote:
>>> So the one question I did have was the response code from the
>>> server.  As shown, the server issued 550. It was something:
>>>
>>>    [TLS established]
>>>    C: MAIL FROM <xxxx>
>>>    S: 550 EHLO/HELO required.
>>>
>>> Shouldn't the server response be 503 (Bad Sequence of
>>> commands)?
>> ... 
>>> If so, should this be stated in the revised text?
>> Not in 3207 - this requirement is inherited from 5321.
> 
> IMO, that requirement, and the use of the codes, is perfectly
> clear in 5321 (at least to anyone who bothers to read it).  If
> someone disagrees, please send text.

Tony, SM, John,

Ok, let me try it this way:

I was thinking of 3207 with text similar to:
(Continue reading)

John C Klensin | 1 Feb 21:25 2009

Re: STARTTLS & EHLO: Errata text?


--On Sunday, February 01, 2009 14:49 -0500 Hector Santos
<hsantos <at> santronics.com> wrote:

>...
> Tony, SM, John,
> 
> Ok, let me try it this way:
> 
> I was thinking of 3207 with text similar to:
> 
>      The secured SMTP client MUST resend the EHLO command and
> the
>      secured SMTP server MUST be prepared to issue an 503
>      for any out of sequence commands by legacy 3207 clients.

In spite of the fact that the 503 code has been stable since 821
was published, I'd be a lot happier with the above if it said
"issue a 'command out of sequence' reply" or "issue a 'command
out of sequence' reply as specified for SMTP [RFC5321]" than
"issue a 503...".  Just aesthetics about what is specified where.

I don't have enough in-depth familiarity with 3207 clients to
have a useful opinion about whether 

	(1) that text is needed or whether 
	
	(2) text that (i) recommended sending the second EHLO
	and (ii) indicated that any client that does not send
	the EHLO MUST be prepared for a "command out of
(Continue reading)

Hector Santos | 1 Feb 21:28 2009

RFC 1123bis?


Tony Finch wrote:

>> If so, should this be stated in the revised text?
> 
> Not in 3207 - this requirement is inherited from 5321.

On a related, we desperately need another RFC 1123, the "holy bible" 
for Internet hosting as I called it. :-)

Something that puts it all together again.   I just find it funny how 
we can be at times so anal about the whys things are done, with 
partial references and presumptions of inherit understanding, yet, we 
end up revisiting, rewriting things when something occurs people 
worked hard to prevent.  I carry a favorite motto from my old High 
School English teacher, "Being specific is Terrific."   It has helped 
in all my writings, technical or otherwise.

Today, with SMTP and all the augmented extensions, etc, a consolidated 
technical summary guide is necessary.  Not everyone is as keen as 
others where they know every RFC nook and cranny, every twist and turn 
issues related to the email system.

Of course, the question can be asked, should a SMTP implementor, new 
or otherwise, but especially new, be aware of all encompassing 
details, every RFC, etc, related to SMTP before he even attempts to 
write a server or client?  Can 5321 alone do the job for a minimum 
design of standard server or client?

--

-- 
(Continue reading)

Tony Finch | 1 Feb 21:35 2009
Picon

Re: STARTTLS & EHLO: Errata text?


On Sun, 1 Feb 2009, Hector Santos wrote:
>
> I was thinking of 3207 with text similar to:
>
>     The secured SMTP client MUST resend the EHLO command and the
>     secured SMTP server MUST be prepared to issue an 503
>     for any out of sequence commands by legacy 3207 clients.

What's wrong with the text I suggested?

   Upon completion of the TLS handshake, the SMTP protocol is reset to
   the initial state (the state in SMTP after a server issues a 220
   service ready greeting).  The requirement in [RFC5321] that "a client
   MUST issue HELO or EHLO before starting a mail transaction" also
   applies to this fresh state.

> On the other hand, if 3207 is altered to enforce a MUST, then we need to
> change our server and in that vain, I reject this 3207 change to a MUST.

This isn't a change to 3207, it's a clarification. This is a requirement
on the client so it isn't strictly necessary for servers to enforce it
(robustness principle and all that). Does your server enforce the
requirement for plaintext connections?

Tony.
--

-- 
f.anthony.n.finch  <dot <at> dotat.at>  http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.
(Continue reading)

John C Klensin | 1 Feb 21:46 2009

Re: STARTTLS & EHLO: Errata text?


--On Sunday, February 01, 2009 20:35 +0000 Tony Finch
<dot <at> dotat.at> wrote:

> On Sun, 1 Feb 2009, Hector Santos wrote:
>> 
>> I was thinking of 3207 with text similar to:
>> 
>>     The secured SMTP client MUST resend the EHLO command and
>>     the secured SMTP server MUST be prepared to issue an 503
>>     for any out of sequence commands by legacy 3207 clients.
> 
> What's wrong with the text I suggested?
> 
>    Upon completion of the TLS handshake, the SMTP protocol is
> reset to    the initial state (the state in SMTP after a
> server issues a 220    service ready greeting).  The
> requirement in [RFC5321] that "a client    MUST issue HELO or
> EHLO before starting a mail transaction" also    applies to
> this fresh state.

Tony, repeating my disclaimer about not feeling qualified to
have an opinion about whether more text is needed in 3207, I
think you are specifying the client behavior (which I believe to
be necessary) while Hector is trying to specify the server
behavior if the client doesn't do what is expected of it.  We
don't often take that step, precisely to permit servers to be
more permissive if they want to, but maybe it would be useful in
this case.  Or maybe not.

(Continue reading)

Hector Santos | 1 Feb 22:52 2009

Re: STARTTLS & EHLO: Errata text?


Tony Finch wrote:
> On Sun, 1 Feb 2009, Hector Santos wrote:
>> I was thinking of 3207 with text similar to:
>>
>>     The secured SMTP client MUST resend the EHLO command and the
>>     secured SMTP server MUST be prepared to issue an 503
>>     for any out of sequence commands by legacy 3207 clients.
> 
> What's wrong with the text I suggested?
> 
>    Upon completion of the TLS handshake, the SMTP protocol is reset to
>    the initial state (the state in SMTP after a server issues a 220
>    service ready greeting).  The requirement in [RFC5321] that "a client
>    MUST issue HELO or EHLO before starting a mail transaction" also
>    applies to this fresh state.

IMO, it is lacking insights regarding legacy servers and clients 
potential behavior.  See below.

>> On the other hand, if 3207 is altered to enforce a MUST, then we need to
>> change our server and in that vain, I reject this 3207 change to a MUST.
> 
> This isn't a change to 3207, it's a clarification. This is a requirement
> on the client so it isn't strictly necessary for servers to enforce it
> (robustness principle and all that). 

I like to see "Protocol Consistency."  What is expected of the client, 
helps define what is expected of the server, and vice versa.

(Continue reading)

SM | 1 Feb 23:36 2009
Picon

Re: STARTTLS & EHLO: Errata text?


Hi Hector,
At 11:49 01-02-2009, Hector Santos wrote:
>I was thinking of 3207 with text similar to:
>
>     The secured SMTP client MUST resend the EHLO command and the
>     secured SMTP server MUST be prepared to issue an 503
>     for any out of sequence commands by legacy 3207 clients.
>
>Why?
>
>Our server, and probably others, based on the original relaxed 
>semantics "Client SHOULD resent EHLO/HELO" guideline, does not 
>enforce it simply because it didn't say MUST.

If you say MUST in that part of the text in RFC 3207, you'll have to 
explain about when EHLO is not required.  If the HELO/EHLO guidelines 
were different from RFC 2821, it should have been mentioned in RFC 
3207.  But they are not.  For those who might point out that we are 
sending two EHLOs, I'll mention that it is clearly stated that the 
SMTP protocol is reset.

>In other words, the secured client can continue with a MAIL FROM and 
>the normal reply codes associates with it apply, but not 503 because 
>it wasn't deem necessary at this stage.

There is no need for a requirement to issue a 503 reply as we already 
know that the reply is applicable if we send out of sequence commands.

>On the other hand, if 3207 is altered to enforce a MUST, then we 
(Continue reading)


Gmane