On 2 Aug 1999, Thomas Neumann wrote:
> Dave Sill <[EMAIL PROTECTED]> writes:
>
> > Thomas Neumann <[EMAIL PROTECTED]> wrote:
> > >
> > >I think Exchange can also use ETRN to tell another SMTP
> > >server that it wants it to send queued mail, but ETRN
> > >is even worse, being incredibly insecure
> >
> > Not true. TURN is incredibly insecure, because it feeds messages back
> > over an unverified connection, but ETRN is as secure any other SMTP
> > exchange.
>
> Yes, exactly as secure as any other SMTP command, which is
> a nice way to say 'not secure at all'.
>
> ETRN, on servers that support it, is part of a normal, unverified
> SMTP session. What verification capabilities do you see in ETRN as
> defined in RFC1985? It would at least be pseudo-secure if the domain
> name given as parameter of the ETRN command would be the FQDN to
> connect to for sending the queues content and the ETRN capable MTA on
> the server side would open a separate connection to that given host,
ETRN DOES require the server to open a NEW SMTP connection to the domain
that is being transferred. THAT IS THE DIFFERENCE BETWEEN ETRN AND TURN.
Please go back and reread the RFCs. ETRN IS secure.
RFC 1985, Section 3, third paragraph:
"The security loophole is avoided by asking the server to start a new
connection aimed at the specified client."
> but this is not the case (and can not be, as RFC1985 section 5 says
> the given domain is allowed to resolve to only an MX, hence is allowed
> to lack an A record and therefore maybe can not be connect()'ed to).
> The domain supplied with ETRN is only to tell the server which
> elements of its queue it should send to the client.
>
> > Basically, it's just telling a server "hey, if you've got
> > any mail for host X, you should try sending it now".
>
> Yes, and it will send it over the already running SMTP session
> in which the ETRN command was issued. So what keeps me away
> from telnet'ing to some SMTP server that I know does ETRN for
> domain foo.bar.com and shoot a 'ETRN foo.bar.com' at it and
> it will happily send me all of foo.bar.com's mails?
NO!!!! ETRN tells the mail server to resend the mail for the specified
domain using a NEW SMTP connection (normal queue processing). It
SPECIFICALLY FORBIDS using the existing SMTP connection. You are
confusing ETRN with TURN.
>
> > qmail+serialmail supports AutoTURN, which is like ETRN, but doesn't
> > require the remote site to send an ETRN command.
>
> This is true, but it only works iff your dialup clients have static IP
> addresses.
>
>
> -t
>
>
---------------------------------
Timothy L. Mayo mailto:[EMAIL PROTECTED]
Senior Systems Administrator
localconnect(sm)
http://www.localconnect.net/
The National Business Network Inc. http://www.nb.net/
One Monroeville Center, Suite 850
Monroeville, PA 15146
(412) 810-8888 Phone
(412) 810-8886 Fax
