From: Ned Freed [mailto:ned(_dot_)freed(_at_)mrochek(_dot_)com]
Sent: Tuesday, May 31, 2011 3:29 PM
To: Murray S. Kucherawy
Subject: RE: RSET command - possible security loophole
Authentication (AUTH) and session security (STARTTLS) are the obvious
but it is also very common for implementations to support proprietary
mechanisms to allow setting of various session attributes (including but not
limited to the real IP address of the client). Various sorts of proxies are
usual use-case for this stuff.
Sorry, right, AUTH and STARTTLS of course. My point is that once you hit MAIL
and thus begin message-specific operations rather than connection-specific
ones, I can't think of any SMTP commands that go back and potentially alter
session state in any obvious way that I can think of.
What am I missing?