--On Monday, 16 July, 2007 21:25 -0400 "Robert A. Rosenberg"
At 15:08 -0400 on 07/15/2007, John C Klensin wrote about Re:
draft-klensin-rfc2821bis-04: VRFY and EXPN syntax:
Partially because of the circumlocutions and security
consideration issues, there is a lot of text about VRFY and
EXPN in 2821bis.
If I may put in my 2 cents, I'd like to hopefully see some
comments about the security issues in using VRFY and EXPN in
the security section (if they are not already there) as well
as an EXPLICATE MUST that the EHLO reply ONLY list them if
they have not been turned off (IOW: If you are going to reject
them or send a "Send Me A massage" reply to an attempt to VRFY
then do not advertise support for them in the first place).
Please read the spec before posting comments like this to the
list. For this purpose, either RFC 2821 or
draft-klensin-rfc2821bis-04 will do although I'd prefer to have
comments on the latter if you are suggesting new text. You will
find that there are comments in the Security Considerations
section already (about 3/4 page worth, enough of them to rate a
whole subsection) and there is also an explanation of why your
suggestion about the EHLO advertisements would be ill-advised.
More generally, rfc2821bis is getting fairly late-stage at this
point. The odds that a suggestion will be accepted rise
dramatically if it actually and clearly identifies a bug and/or
if it comes with specific suggested text. Otherwise, absent
fairly strong consensus that the issue is important, the
overworked and exhausted editor is unlikely to find the energy
to make up text, figure out where to put it, and then ask people
to review that text.