On 11/1/2024 4:25 PM, John C Klensin
wrote:
This command, described in RFC 821, raises important security issues since, in the absence of strong authentication of the host requesting that the client and server switch roles, it can easily be used to divert mail from its correct destination. Its use is deprecated; SMTP systems SHOULD NOT use it unless the server can authenticate the client.FWIW, that test was present in RFC 2821, so is more than 23 years old.In this new version of the document - perhaps we make this more directive?
Is the existing text causing problems? Where is the documentation that it is?
The existing text provides a very clear caution. Is there any evidence this is insufficient.
Playing with spec text just because, gosh, we could do better, should be questionable for a spec and especially for the late-stage of a -bis effort.
d/
-- Dave Crocker Brandenburg InternetWorking bbiw.net mast:@dcrocker@mastodon.social
-- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
