OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: XCLIENT, XFORWARD: widely used, standardisation?

From: Wietse Venema (wietseporcupine.org)
Date: Wed Jun 01 2005 - 12:45:12 CDT

Richard Dawe:
> Hello.
>
> On Wed, 2005-06-01 at 17:55, Wietse Venema wrote:
> [snip]
> > XCLIENT etc. are not widely used as far as I know. Neither are
> > ready for standardization at this point and need further development;
> > however, my limited cycles are currently more focused on making
> > Postfix complete with respect to existing RFCs.
>
> Do you have a summary of what further development is needed?
>
> (I searched the postfix-users archive, but could not see anything.)

The two extensions are similar in appearance but serve different needs:

1 - XCLIENT is a client impersonation mechanism to override access
    controls. It overrides audit trail information.

2 - XFORWARD is a mechanism to propagate additional audit trail
    information.

Right now the server will accept only the attributes that it has
support for, and none of the existing attributes happens to
require XTEXT encoding. There is a need for more XFORWARD attributes
to provide more hints to content filters. If we add more attributes
then the implementation will be easier if all attributes are XTEXT
encoded, instead of just those attributes that need it.

> [snip]
> > I am not married to the way things are currently implemented, but
> > I was concerned that things would eventually break as more and more
> > attributes add to the length of the MAIL FROM command.
>
> I think that is a good decision.

With the drawback that it adds to the SMTP command set; this may
fail with some stateful firewalls. Of course very long MAIL FROM
commands may trip up firewalls in a different manner.

> > I'm certainly interested in standardizing some or all of the
> > functionality covered with XCLIENT and/or XFORWARD, in a manner
> > that is not tied to a specific MTA implementation.
>
> For what it's worth, I couldn't see anything in the documentation that
> ties it to postfix. I think it could be implemented fine with our MTA,
> but I haven't tried it.

What I meant to say was that the mechanism is MTA specific because
it is not standardized. I'd love to see something standardized so
that it will be adopted by multiple MTAs.

It does not have to be XCLIENT but if it is almost sufficient
the we might just fix the limitations and use that.

        Wietse