[Top] [All Lists]

Re: RFC2821bis-01 Issue 3: EHLO parameter

2007-03-30 23:56:49

At 06:25 -0400 on 03/30/2007, Hector Santos wrote about Re: RFC2821bis-01 Issue 3: EHLO parameter:

Right, the irony is that the SUBMIT (port 587) is about strong
authentication at all levels. Yet, it can provide an "lesser of all
evils" avenue to help resolve this current issue by relaxing any strong
EHLO/HELO verification that is increasing becoming a wide practice for
anonymous transactions under port 25

Raising an issue about EHLO/HELO verification and Port 587/SUBMIT, I have the impression (possibly erroneous) that Port587 use requires a SMTP AUTH handshake. If so, then use of HELO on Port587 should IMO be banned (ie: Any attempt to use it to start the session should be rejected with an invalid command reply) since only EHLO will return the 220 list of supported commands - in particular the AUTH that lists the acceptable Handshake protocols (PLAIN/LOGON/CRAM-MD5/etc.). If I go HELO I am not informed of the valid handshake methods even if I can assume the AUTH is supported. I've seen sites that ONLY offer CRAM-MD5 (but not PLAIN or LOGON) due to PLAIN and LOGON being fake "security by obscurity" that fails to protect if the session is being monitored/recorded (both send a constant reply that just needs to be unBASE64'ed to see the actual USERID/PW Pair).

NOTE: That comment may fork the discussion and trigger the need for a new ISSUE Number. Editor/Monitor, please do a RE:/WAS to issue one if appropriate.