Re: [exim-dev] XCLIENT patch to Exim; Cambridge

Thu, 15 Jan 2015 17:34:25 -0800 

On Fri, Jan 16, 2015 at 12:52:46AM +0000, Jeremy Harris wrote:

> Most of the attributes look ok for us to support.  I'm dubious
> about the LOGIN one though; this feels like a protocol level
> violation.  

In Postfix this allows proxying of SASL logins.  A proxy might
handle SASL auth in front of the MTA.  The MTA receives the SASL
login name as determined by the proxy and applies access control
decisions accordingly.

> Is that Postfix page the sole definition of the ESMTP option?

I think so, that's why it is perhaps time for an IETF draft, the
feature seems to have caught on far beyond Postfix.  Not sure
whether the I-D should be informational or standards-track.  XCLIENT
is a local matter between various load-balancer systems and the
MTA behind them, and is not generally a concern across indepedently
operated systems.  So informational might be less work, and still
get the job done.

> I note it doesn't specify the format of an IP address
> (there is an example of an IPv4 one).

Quoting XCLIENT_README:

    The ADDR attribute specifies an SMTP client numerical IPv4
    network address, an IPv6 address prefixed with IPV6:, or
    [UNAVAILABLE] when the address information is unavailable.
    Address information is not enclosed with [].

Thus one of the three forms:

    192.0.2.1
    IPv6:2001:db8::1
    [UNAVAILABLE]

> Swaks supports it, and mentions another (undocumented!)
> attribute: REVERSE_NAME ...
> ( http://www.jetmore.org/john/code/vmail/latest/doc/ref.txt )

It does looks like XCLIENT_README omits that attribute which was
added more recently.  The full list is:

    #define XCLIENT_NAME            "NAME"          /* client name */
    #define XCLIENT_REVERSE_NAME    "REVERSE_NAME"  /* reverse client name */
    #define XCLIENT_ADDR            "ADDR"          /* client address */
    #define XCLIENT_PORT            "PORT"          /* client port */
    #define XCLIENT_PROTO           "PROTO"         /* client protocol */
    #define XCLIENT_HELO            "HELO"          /* client helo */
    #define XCLIENT_LOGIN           "LOGIN"         /* SASL login name */

The REVERSE_NAME is the unverified result of of a PTR lookup.
While NAME is the FCrDNS.  These are of course not always available
to the proxy.

-- 
        Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to