[Top] [All Lists]

RE: RSET command - possible security loophole

2011-05-31 17:50:12

Are there properties of the session state, other than
implementation-specific ones, that might ever be altered by commands
after EHLO?  I can't think of any.

Authentication (AUTH) and session security (STARTTLS) are the obvious examples,
but it is also very common for implementations to support proprietary
mechanisms to allow setting of various session attributes (including but not
limited to the real IP address of the client). Various sorts of proxies are the
usual use-case for this stuff.

I'm not a fan of proxies personally, mostly because proper implementation seems
to be a much bigger challenge than anyone cares to admit, but pretending they
don't exist and such commands haven't been implemented would be silly.

Past EHLO, everything is either neutral or is a message-specific instruction
of some kind.  If that's the case, then declaring that RSET only ever resets
message state seems like where the RFC should leave it.

Sorry, that's not even close to correct.