[Top] [All Lists]

RE: RSET command - possible security loophole

2011-05-31 18:41:51

-----Original Message-----
From: Ned Freed [mailto:ned(_dot_)freed(_at_)mrochek(_dot_)com]
Sent: Tuesday, May 31, 2011 3:29 PM
To: Murray S. Kucherawy
Cc: ietf-smtp(_at_)imc(_dot_)org
Subject: RE: RSET command - possible security loophole

Authentication (AUTH) and session security (STARTTLS) are the obvious 
but it is also very common for implementations to support proprietary
mechanisms to allow setting of various session attributes (including but not
limited to the real IP address of the client). Various sorts of proxies are 
usual use-case for this stuff.

Sorry, right, AUTH and STARTTLS of course.  My point is that once you hit MAIL 
and thus begin message-specific operations rather than connection-specific 
ones, I can't think of any SMTP commands that go back and potentially alter 
session state in any obvious way that I can think of.

What am I missing?