[Top] [All Lists]

Submit and HELO (was: Re: RFC2821bis-01 Issue 3: EHLO parameter)

2007-03-31 07:47:51


I think this is a Submit issue, rather than an SMTP one, so
don't know quite how to summarize it into an issues that is
2821bis-relevant.   If you disagree, please explain.


--On Saturday, 31 March, 2007 02:09 -0400 "Robert A. Rosenberg"
<hal9001(_at_)panix(_dot_)com> wrote:

At 06:25 -0400 on 03/30/2007, Hector Santos wrote about Re:
RFC2821bis-01 Issue 3: EHLO parameter:

Right, the irony is that the SUBMIT (port 587) is about strong
authentication at all levels. Yet, it can provide an "lesser
of all evils" avenue to help resolve this current issue by
relaxing any strong EHLO/HELO verification that is increasing
becoming a wide practice for anonymous transactions under
port 25

Raising an issue about EHLO/HELO verification and Port
587/SUBMIT, I have the impression (possibly erroneous) that
Port587 use requires a SMTP AUTH handshake. If so, then use of
HELO on Port587 should IMO be banned (ie: Any attempt to use
it to start the session should be rejected with an invalid
command reply) since only EHLO will return the 220 list of
supported commands - in particular the AUTH that lists the
acceptable Handshake protocols (PLAIN/LOGON/CRAM-MD5/etc.). If
I go HELO I am not informed of the valid handshake methods
even if I can assume the AUTH is supported. I've seen sites
that ONLY offer CRAM-MD5 (but not PLAIN or LOGON) due to PLAIN
and LOGON being fake "security by obscurity" that fails to
protect if the session is being monitored/recorded (both send
a constant reply that just needs to be unBASE64'ed to see the
actual USERID/PW Pair).

NOTE: That comment may fork the discussion and trigger the
need for a new ISSUE Number. Editor/Monitor, please do a
RE:/WAS to issue one if appropriate.