Index | Thread | Search

From:
gilles@poolp.org
Subject:
Re: smtpd(8) should add missing date and message id headers also on port 465
To:
"Kirill Miazine" <km@krot.org>, tech@openbsd.org
Date:
Tue, 03 Sep 2024 21:45:24 +0000

Download raw body.

Thread 
September 3, 2024 6:57 PM, "Kirill Miazine" <km@krot.org> wrote:

>> 
>> Generally ok with the idea of introducing F_SUBMISSION, also ok with the idea
>> to later introduce a listener mode (though I think keyword "submission" would
>> be better as "msa" will confuse most users).
> 
> "submission" is also keyword which e.g. Exim uses, and looking what it does in submission mode
> could give some helpful hints as to what OpenSMTPD could do in submission mode:
> 
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-message_processing.html#SECTsubmodnon
> 

Yup, I think both the RFC and behavior of other MTA need to be studied before we
take a direction with this. If there's a way to have a sane behavior without the
need for a new keyword and/or config option, I'd prefer that way.


>> I'm however not sure about adding port 465 as part of this diff, smtps is not
>> necessarily a submission port: private mail networks may mandate its use even
>> for MX to MX communications, and all sessions would be flagged incorrectly as
>> submission with this diff.
>> Since the code has assumed 587 == submission for a long time without any user
>> complaining, we might want to just introduce F_SUBMISSION on local and 587 as
>> a first step, it would be iso with today's behavior, then we can work on that
>> mode for listeners and let users set mode themselves for port 587 and 465.
>> I also need to read RFC 6409 before I comment further, I have an intuition we
>> can be smarter than this but I need to be sure it is legal: shouldn't we flag
>> F_SUBMISSION any mail that was submitted from an authenticated session ?
> 
> frequently an MTA would be using an authenticated session.
> 

Yes in the case of a smarthost for example, but in that case it is not operating
as a transfer MTA but as a client. I did an initial read of the RFC 6409 and the
intro already emphasizes the distinction auth/!auth and submissions/transfers so
I'd like to give it a bit more thinking.

Question:

    listen on [...] tls-require auth
    listen on [...] smtps auth

aren't these just implicit submissions because both configuration require a user
authentication before being able to submit a message ?