From: gilles@poolp.org Subject: Re: smtpd(8) should add missing date and message id headers also on port 465 To: "Kirill Miazine" , tech@openbsd.org Date: Tue, 03 Sep 2024 21:45:24 +0000 September 3, 2024 6:57 PM, "Kirill Miazine" wrote: >> >> Generally ok with the idea of introducing F_SUBMISSION, also ok with the idea >> to later introduce a listener mode (though I think keyword "submission" would >> be better as "msa" will confuse most users). > > "submission" is also keyword which e.g. Exim uses, and looking what it does in submission mode > could give some helpful hints as to what OpenSMTPD could do in submission mode: > > https://www.exim.org/exim-html-current/doc/html/spec_html/ch-message_processing.html#SECTsubmodnon > Yup, I think both the RFC and behavior of other MTA need to be studied before we take a direction with this. If there's a way to have a sane behavior without the need for a new keyword and/or config option, I'd prefer that way. >> I'm however not sure about adding port 465 as part of this diff, smtps is not >> necessarily a submission port: private mail networks may mandate its use even >> for MX to MX communications, and all sessions would be flagged incorrectly as >> submission with this diff. >> Since the code has assumed 587 == submission for a long time without any user >> complaining, we might want to just introduce F_SUBMISSION on local and 587 as >> a first step, it would be iso with today's behavior, then we can work on that >> mode for listeners and let users set mode themselves for port 587 and 465. >> I also need to read RFC 6409 before I comment further, I have an intuition we >> can be smarter than this but I need to be sure it is legal: shouldn't we flag >> F_SUBMISSION any mail that was submitted from an authenticated session ? > > frequently an MTA would be using an authenticated session. > Yes in the case of a smarthost for example, but in that case it is not operating as a transfer MTA but as a client. I did an initial read of the RFC 6409 and the intro already emphasizes the distinction auth/!auth and submissions/transfers so I'd like to give it a bit more thinking. Question: listen on [...] tls-require auth listen on [...] smtps auth aren't these just implicit submissions because both configuration require a user authentication before being able to submit a message ?