[Top] [All Lists]

Re: RSET command - possible security loophole

2011-05-31 10:32:31

My impression is that the behavior of RSET has never been defined with respect 
to authentication, and that the Right Thing for RSET to do with respect to 
authentication is absolutely nothing.

A separate question is whether RSET affects anything in an SMTP extension.  
It's easy to say that RSET doesn't affect extensions, but I doubt that's the 
right tack.  RSET should definitely affect CHUNKING, for instance.  But I think 
RSET should only affect the current message being sent.

With respect to authentication, it's arguable that there should be some way to 
"logout" without ending the current TCP session.   But that would have to be a 
separate SMTP extension.