ietf-smtp
[Top] [All Lists]

Re: RSET command - possible security loophole

2011-06-02 15:08:27
On 2011-06-01 17:34:58 -0400, John C Klensin wrote:
--On Wednesday, June 01, 2011 16:57 -0400 Hector Santos
<hsantos(_at_)santronics(_dot_)com> wrote:

The following is invalid because it clears the MAIL FROM:

  C: RCPT TO:<USER(_at_)REMOTE-HOST(_dot_)COM>
  S: 530 Authentication required for relaying
  C: RSET
  S: 250 OK
  C: AUTH LOGIN

Assuming there was a MAIL command prior to the RCPT one,
otherwise it is invalid for other reasons (the response to RCPT
should be "503 Bad sequence of commands").

Yup.

AUTH after RSET but before MAIL is invalid only because 4894 says so.
5321 doesn't have a position on the subject.

AUTH after RSET but before MAIL is valid (not "during a mail
transaction"). AUTH after MAIL would be invalid (it is "during a mail
transaction").

        hp

-- 
   _  | Peter J. Holzer    | Web 2.0 könnte man also auch übersetzen als
|_|_) | Sysadmin WSR       | "Netz der kleinen Geister".
| |   | hjp(_at_)hjp(_dot_)at         | 
__/   | http://www.hjp.at/ |  -- Oliver Cromm in desd

Attachment: signature.asc
Description: Digital signature