NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-01

Re: [offtopic] When is STARTTLS allowed?

From: Pedro Lamarão (pedro.lamaraointersix.com.br)
Date: Wed Jan 31 2007 - 13:10:36 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wietse Venema escreveu:
> Victor Duchovni:
>
>> On Wed, Jan 31, 2007 at 04:14:52PM -0200, Pedro Lamar?o wrote:
>>
>>
>>> First off, I'm sorry to post this rather offtopic question.
>>> I searched Google Groups for a USENET group specific to SMTP and found none.
>>>
>>> I've just read RFC 2487 and was left wondering exactly when is STARTTLS
>>> allowed.
>>> The obvious use case is to use it just after the TCP connection was
>>> established, when the session is at the "initial" state.
>>> But is it allowed after MAIL, when the session is at the "envelope" state?
>>> Is it allowed after RCPT during the "envelope" state?
>>> (This state terminology is mine, sorry if it is too confusing; I'm
>>> trying to build a "state machine" picture out of the protocol.)
>>>
>>> The RFC merely states that, after STARTTLS handshaking completes, the
>>> connection goes back to the "initial" state and a HELO or EHLO must be
>>> issued.
>>>
>> With SMTP, "STARTTLS" is allowed only between "EHLO" and "MAIL",
>> and only if the server's ESMTP EHLO response includes "250-STARTTLS"
>> (or ends with "250 STARTTLS").
>>
>
> A specific pointer would help. If you look at Postfix source, then
> you will see that it accepts "STARTTLS" at any protocol stage,
> except after "STARTTLS". Postfix accepts "STARTTLS" is accepted
> after MAIL FROM, just like RSET, HELO or EHLO, because like Pedro
> I could not find a statement to the contrary.
>

By contrast, RFC 2554 explicitly states in section 4:

"The AUTH command is not permitted during a mail transaction."

My research produced the following chart for the "SMTP State Machine":

http://mndfck.org/~pedro.lamarao/stuff/SMTP_StateChart.png

(It is an optimistic chart and contains only one "error" case.)

Thank you for your help!

--
Pedro Lamarão
Desenvolvimento

Intersix Technologies S.A.
SP: (55 11 3803-9300)
RJ: (55 21 3852-3240)
www.intersix.com.br

Your Security is our Business

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]