ietf-smtp
[Top] [All Lists]

Re: RSET command - possible security loophole

2011-06-01 16:53:00

Yes, exactly.

And the "only one AUTH per session" condition (which you
describe as "nly allowed before the first MAIL in the
session"... well, while 4954 could have imposed that condition,
I don't think it does (and, IMO, it would have been be really
bad design if it had)

    john


--On Wednesday, June 01, 2011 17:24 -0400 Peter Bowen
<pzbowen(_at_)gmail(_dot_)com> wrote:

On Wed, Jun 1, 2011 at 15:39, John C Klensin
<john+smtp(_at_)jck(_dot_)com> wrote:
On Wednesday, June 01, 2011 12:09 -0400 Peter Bowen
<pzbowen(_at_)gmail(_dot_)com> wrote:

But this would be allowed, correct?

No, it is not.  See below.

(Assuming no previous AUTH was sent)

C: MAIL FROM:<whoever@wherever>
S: 250 Go ahead, you unauthenticated thing you
C: RCPT TO:<highmucketymuck@wherever>
S: 559 Authorization failure, need to authenticate to send to
    this address
C: RSET
S: 250 State reset
C: AUTH blah blah blah
S: 250 OK, you're authorized now
C: RCPT TO:<highmucketymuck@wherever>
S: 250 OK, you're allowed to do that now

Once the RSET is issued, I would think the state it is not
"during a mail transaction".

That is correct: unless some extension changes it, mail
transactions start with a MAIL command.  Since RSET resets
any mail transaction that happens to be in progress, the
sequence above ought to produce a "command out of order"
response to the second RCPT command.

You are of course correct.  What I intended did not make it
into the example.  Corrected:

C: MAIL FROM:<whoever@wherever>
S: 250 Go ahead, you unauthenticated thing you
C: RCPT TO:<highmucketymuck@wherever>
S: 559 Authorization failure, need to authenticate to send to
this address C: RSET
S: 250 State reset
C: AUTH blah blah blah
S: 250 OK, you're authorized now
C: MAIL FROM:<whoever@wherever>
S: 250 Go ahead, I know who you are
C: RCPT TO:<highmucketymuck@wherever>
S: 250 OK, you're allowed to do that now

My point is that sending a RSET sets the state back to "not
during mail transaction", hence you can AUTH after RSET.  The
other alternative is that AUTH is only allowed before the
first MAIL in the session.

Thanks,
Peter