On Fri, Nov 01, 2024 at 03:33:56PM -0400, Michael StJohns wrote: > > This command, described in RFC 821, raises important security issues > > since, in the absence of strong authentication of the host requesting > > that the client and server switch roles, it can easily be used to > > divert mail from its correct destination. Its use is deprecated; > > SMTP systems SHOULD NOT use it unless the server can authenticate the > > client. > > In this new version of the document - perhaps we make this more directive? > E.g. either prohibit it (obsolete it) entirely, or do a MUST be rejected > unless provided inside a client-cert authenticated TLS session or be more > specific about what "authenticate the client" means? That's what ODMR <https://datatracker.ietf.org/doc/html/rfc2645#section-5.2.1> is about. We now have: - TURN long obsolete, plausibly no longer implemented by any MTAs. - ETRN, nudge to drain the queue over a separate fresh connection (or multiple connections). [ Postfix includes ETRN support by default for deferred mail to domains listed in $fast_flush_domains. ] - ATRN (ODMR) (don't know which MTAs might support this). * Multi-recipient mailboxes with "fetchmail" were not long ago a somewhat popular alternative. This alternative works well if the connectivity is so intermittent as to risk deferred mail bouncing after exceeding the retry time. > I'm now kind of curious how many SMTP servers still support TURN. None of the mainstream usual suspects. -- Viktor. -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
