Re: [exim-dev] XCLIENT patch to Exim; Cambridge

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Viktor Dukhovni
日付:  
To: exim-dev
CC: Wietse Venema
題目: Re: [exim-dev] XCLIENT patch to Exim; Cambridge
On Fri, Jan 16, 2015 at 12:52:46AM +0000, Jeremy Harris wrote:

> Most of the attributes look ok for us to support. I'm dubious
> about the LOGIN one though; this feels like a protocol level
> violation.


In Postfix this allows proxying of SASL logins. A proxy might
handle SASL auth in front of the MTA. The MTA receives the SASL
login name as determined by the proxy and applies access control
decisions accordingly.

> Is that Postfix page the sole definition of the ESMTP option?


I think so, that's why it is perhaps time for an IETF draft, the
feature seems to have caught on far beyond Postfix. Not sure
whether the I-D should be informational or standards-track. XCLIENT
is a local matter between various load-balancer systems and the
MTA behind them, and is not generally a concern across indepedently
operated systems. So informational might be less work, and still
get the job done.

> I note it doesn't specify the format of an IP address
> (there is an example of an IPv4 one).


Quoting XCLIENT_README:

    The ADDR attribute specifies an SMTP client numerical IPv4
    network address, an IPv6 address prefixed with IPV6:, or
    [UNAVAILABLE] when the address information is unavailable.
    Address information is not enclosed with [].


Thus one of the three forms:

    192.0.2.1
    IPv6:2001:db8::1
    [UNAVAILABLE]


> Swaks supports it, and mentions another (undocumented!)
> attribute: REVERSE_NAME ...
> ( http://www.jetmore.org/john/code/vmail/latest/doc/ref.txt )


It does looks like XCLIENT_README omits that attribute which was
added more recently. The full list is:

    #define XCLIENT_NAME            "NAME"          /* client name */
    #define XCLIENT_REVERSE_NAME    "REVERSE_NAME"  /* reverse client name */
    #define XCLIENT_ADDR            "ADDR"          /* client address */
    #define XCLIENT_PORT            "PORT"          /* client port */
    #define XCLIENT_PROTO           "PROTO"         /* client protocol */
    #define XCLIENT_HELO            "HELO"          /* client helo */
    #define XCLIENT_LOGIN           "LOGIN"         /* SASL login name */


The REVERSE_NAME is the unverified result of of a PTR lookup.
While NAME is the FCrDNS. These are of course not always available
to the proxy.

-- 
    Viktor.