Internet Draft: On-Demand Mail Relay R. Gellens Document: draft-gellens-on-demand-00.txt QUALCOMM, Inc. Expires: 5 May 1998 5 November, 1997 On-Demand Mail Relay Status of this Memo: This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as a "working draft" or "work in progress." To learn the current status of any Internet Draft, please check the "1id-abstracts.txt" listing contained in the Internet Drafts shadow directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). A version of this draft document is intended for submission to the RFC editor as a Proposed Standard for the Internet Community. Discussion and suggestions for improvement are requested. Please send comments to the IETF Disconnected SMTP mailing list, . To subscribe, send a message containing SUBSCRIBE to . This document will expire before the end of May 1998. Distribution of this draft is unlimited. The file name of this version is draft-gellens-on-demand-00.txt Introduction With the spread of low-cost computer systems and Internet connectivity, the demand for local mail servers had been rising. Many people now want to operate a mail server on a system which has only an intermittent connection to a service provider. If the system has a static IP address, the [ESMTP] [ETRN] command can be Gellens Expires May 1998 [Page 1] Internet Draft On-Demand Mail Relay November 1997 used. However, systems with dynamic IP addresses (which are very common with low-cost connections) have no good solution. This memo proposes a new service, On-Demand Mail Relay, which is a profile of [ESMTP], providing for a secure, extensible, easy to implement approach to the problem. 1. Conventions Used in this Document Because the client and server roles reverse during the session, to avoid confusion, the terms "customer" and "provider" will be used in place of "client" and "server", although of course this protocol may be useful in cases other than commercial service providers and customers. In examples, "P:" is used to indicate lines sent by the provider, and "C:" indicates those sent by the customer. Line breaks within a command are for editorial purposes only. The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as defined in [KEYWORDS]. 2. Description On-Demand Mail Relay is a restricted profile of SMTP which runs on port xxxx. The initial client and server roles are short-lived, as the point is to allow the intermittently-connected host to request mail held for it by a service provider. The customer initiates a connection to the provider, authenticates, and requests its mail. The roles of client and server then reverse, and normal [ESMTP] proceeds. The provider has an On-Demand Mail Relay process listening for connections on port xxxx. This process does not need to be a full SMTP server. It does need to be an SMTP client with access to the outgoing mail queues, and as a server implement the EHLO, AUTH, TURN, and QUIT commands. An MTA normally has a mail client component which processes the outgoing mail queues, attempting to send mail for particular domains, based on time or event (such as new mail being placed in the queue, or receipt of an ETRN command by the SMTP server component). The On-Demand Mail Relay service processes the outgoing queue not on a timer or new mail creation, but on request. Gellens Expires May 1998 [Page 2] Internet Draft On-Demand Mail Relay November 1997 3. States The On-Demand Mail Relay service has three states: an initial state, an authenticated state, and a reversed state. The state progression is illustrated in the following diagram: --------------------------- ! initial state ! --------------------------- ! ! QUIT AUTH ! ! ! V ! ----------------------- ! ! authenticated state ! ! ----------------------- ! ! ! ! QUIT TURN ! ! ! ! ! V ! ! ------------------ ! ! ! reversed state ! ! ! ------------------ ! ! ! ! ! QUIT ! ! ! V V V --------------------- ! termination ! --------------------- 3.1. Initial State In the initial state, the provider is the server and the customer is the client. Three commands are valid: EHLO, AUTH, and QUIT. 3.1.1. EHLO The EHLO command is the same as in [ESMTP]. The response must include AUTH and TURN. 3.1.2. AUTH AUTH is specified in [AUTH]. The AUTH command uses a [SASL] mechanism to authenticate the session. The session is not considered authenticated until a success response to AUTH has been sent. Gellens Expires May 1998 [Page 3] Internet Draft On-Demand Mail Relay November 1997 For interoperability, implementations MUST support the CRAM-MD5 mechanism. Other SASL mechanisms may be supported. A site may disable CRAM-MD5 support if it uses more secure methods. The EXTERNAL mechanism might be useful in some cases, for example, if the provider has already authenticated the client, such as during a PPP connection. 3.1.3. QUIT The QUIT command is the same as in [SMTP]. 3.2. Authenticated State The authenticated state is entered after a successful AUTH command. Two commands are valid in the authenticated state: TURN and QUIT. 3.2.1. TURN Unlike the TURN command in [SMTP], here the TURN command takes one or more domains as a parameter. The TURN command MUST be rejected if the session has not been authenticated. Response code 503 should be used for this. The timeout for this command MUST be at least 15 minutes to allow the provider time to process its mail queue. If the authentication used by the customer does not provide access to any of the domains specified in TURN, the provider MUST NOT send mail for those domains to the customer. The provider MUST reject the TURN command with a 450 code. If the customer does have access to all of the specified domains, but none of them have any queued mail, the provider also rejects the TURN with 450. If [SMTP-CODES] is used according to [CODES-EXTENSION], the provider MUST NOT distinguish between these cases. If the customer has access to all of the specified domains and mail exists in at least one of them, the provider issues a 250 success code. ABNF for TURN: turn ::= "TURN" domain *("," domain) domain ::= sub-domain 1*("." sub-domain) sub-domain ::= letter-digit *(ldh-str) letter-digit ::= alpha / digit ldh-str ::= *(alpha / digit / "-") letter-digit alpha ::= digit ::= 3.3. Reversed State After the provider has sent a success reply to the TURN command, the roles reverse, and the customer becomes the server, and the provider becomes the client. At this point normal [ESMTP] commands are used. Typically the provider sends MAIL FROM immediately following the success response to TURN. 3.4. Other Commands The provider SHOULD reject all commands other than EHLO, AUTH, TURN, and QUIT with response code 502. 4. Example On-Demand Mail Relay Session: P: 220 ISP.NET on-demand mail relay server ready C: EHLO foobar.net P: 250-AUTH=CRAM-MD5 Kerberos-v5 P: 250 TURN C: AUTH CRAM-MD5 P: 334 MTg5Ni42OTcxNzA5NTJASVNQLkNPTQo= C: Zm9vYmFyLm5ldCBiOTEzYTYwMmM3ZWRhN2E0OTViNGU2ZTczMzRkMzg5MAo= P: 235 now authenticated as foobar.net C: TURN foobar.net, vanity.com P: 250 [9876foo] OK now reversing the connection P: MAIL FROM: C: 250 OK P: RCPT TO: C: 250 OK, recipient accepted ... P: QUIT C: 221 foobar.net closing connection 5. Alternative Approaches A number of alternative approaches were considered: 5.1. ETRN, ETRN extension, ETRN-like command ETRN is a very workable solution for intermittently-connected MTAs which have a static IP address. For MTAs with a dynamic address, we need to distinguish a normal ETRN (which should use the DNS) from a dynamic ETRN (which would normally use the IP address that the client is presently on). Gellens Expires May 1998 [Page 5] Internet Draft On-Demand Mail Relay November 1997 Several possible solutions to this problem were considered: 1. A new command (DTRN) 2. A optional parameter to ETRN: ETRN [192.168.15.2:8025] foobar.net The presence of an IP address in square brackets would serve to indicate that this is an ETRN for use with an intermittently-connected host, and also allow the host to request use of a port other than 25. It would also clue the server that it should reject the command unless the client was authenticated. Because the ETRN syntax does not allow for an optional parameter (other than a single-character flag), and because there needs to be a way for the provider to advertise support for the dynamic ETRN capability, the new command seems the better approach. Because the provider responds to ETRN by opening a new connection back to the customer, there is a potential timing hole: the customer could get disconnected, and another customer, which also runs an MTA, could connect at just the right time and be assigned the IP address previously used by the customer which issued the ETRN. Several potential solutions to this problem were considered: 1. The provider opens the new connection to the customer before responding to DTRN. This allows it to verify that it reached the correct IP address, and that the customer is still connected on the first connection: P: 220 ISP.NET mail server ready C: EHLO foobar.net P: 250-AUTH=CRAM-MD5 Kerberos-v5 P: 250 DTRN C: AUTH CRAM-MD5 P: 334 MTg5Ni42OTcxNzA5NTJASVNQLkNPTQo= C: Zm9vYmFyLm5ldCBiOTEzYTYwMmM3ZWRhN2E0OTViNGU2ZTczMzRkMzg5MAo= P: 235 now authenticated as foobar.net C: DTRN foobar.net ... C: 250 foobar.net mail server ready P: EHLO ISP.COM C: 250 OK P: MAIL FROM... ... P: 250 [9876foo] OK new connection opened Gellens Expires May 1998 [Page 6] Internet Draft On-Demand Mail Relay November 1997 Drawbacks: constrains the amount of time in which the provider must process its queue (to avoid timeout on DTRN). Delays additional activity on the first connection. Requires the provider to be immediately aware if the first connection closes. Requires the provider to coordinate activity and state on two connections, which is difficult in some implementations. Advantage: simple. 2. Turn the connection (with a new command, since TURN is deprecated and not supported by most MTAs): P: 220 ISP.NET mail server ready C: EHLO foobar.net P: 250-AUTH=CRAM-MD5 Kerberos-v5 P: 250 RTRN C: AUTH CRAM-MD5 P: 334 MTg5Ni42OTcxNzA5NTJASVNQLkNPTQo= C: Zm9vYmFyLm5ldCBiOTEzYTYwMmM3ZWRhN2E0OTViNGU2ZTczMzRkMzg5MAo= P: 235 now authenticated as foobar.net C: RTRN foobar.net P: 250 [9876foo] OK now reversing the connection P: MAIL FROM Drawbacks: requires customer's server to open an additional connection if it has mail to send and wants to send and receive at the same time; architecturally difficult in many server implementations; requires provider's mail server to be able to process queue within reasonable time period (to avoid timeout on RTRN). Advantages: very simple design, few additional round-trips. 3. The provider responds to DTRN with a key (a random number) that the customer returns in the EHLO response or the greeting when the new connection is opened: P: 220 ISP.NET mail server ready C: EHLO foobar.net P: 250-AUTH=CRAM-MD5 Kerberos-v5 P: 250 DTRN C: AUTH CRAM-MD5 P: 334 MTg5Ni42OTcxNzA5NTJASVNQLkNPTQo= C: Zm9vYmFyLm5ldCBiOTEzYTYwMmM3ZWRhN2E0OTViNGU2ZTczMzRkMzg5MAo= P: 235 now authenticated as foobar.net C: DTRN foobar.net P: 250 [9876foo] OK will open new connection ... C: 220 foobar.net mail server ready P: EHLO ISP.COM C: 250 DTRN ID [9876foo] P: MAIL FROM Gellens Expires May 1998 [Page 7] Internet Draft On-Demand Mail Relay November 1997 Drawbacks: requires customer's server to maintain state between the ISP connection and the new connection. Advantages: simple, few additional round-trips. 4. The customer includes in DTRN a key (a random number) that the provider sends in a new command when the new connection is opened: P: 220 ISP.NET mail server ready C: EHLO foobar.net P: 250-AUTH=CRAM-MD5 Kerberos-v5 P: 250 DTRN C: AUTH CRAM-MD5 P: 334 MTg5Ni42OTcxNzA5NTJASVNQLkNPTQo= C: Zm9vYmFyLm5ldCBiOTEzYTYwMmM3ZWRhN2E0OTViNGU2ZTczMzRkMzg5MAo= P: 235 OK now authenticated as foobar.net C: DTRN foobar.net "9876foo" P: 250 OK will open new connection ... C: 220 foobar.net mail server ready P: DTRNID "9876foo" C: 250 OK Please send me my mail P: MAIL FROM Drawbacks: the provider has no assurance it reached the correct system; any system could respond to DTRNID (with any key) with an OK. 5. Require a new authentication for the new connection: P: 220 ISP.NET mail server ready C: EHLO foobar.net P: 250-AUTH=CRAM-MD5 Kerberos-v5 P: 250 DTRN C: AUTH CRAM-MD5 P: 334 MTg5Ni42OTcxNzA5NTJASVNQLkNPTQo= C: Zm9vYmFyLm5ldCBiOTEzYTYwMmM3ZWRhN2E0OTViNGU2ZTczMzRkMzg5MAo= P: 235 now authenticated as foobar.net C: DTRN foobar.net P: 250 OK will open new connection ... C: 220 foobar.net mail server ready P: EHLO ISP.COM C: 250 AUTH=CRAM-MD5 Kerberos-v5 P: AUTH CRAM-MD5 C: 334 MTg5Ni42OTcxNzA2ODNAZm9vYmFyLm5ldAo= P: ISP.COM a872b304a4bcd3b587a2bcd938473849 C: 235 ISP.COM verified, please send me my mail The second authentication could use the same shared secret as the first, to make things simpler. Drawbacks: while the customer can now trust the provider, the provider has no assurance it reached the correct system; any system could respond to AUTH (with any ID and secret) with an OK. Gellens Expires May 1998 [Page 8] Internet Draft On-Demand Mail Relay November 1997 6. Require a reverse authentication (a challenge) for the new connection: P: 220 ISP.NET mail server ready C: EHLO foobar.net P: 250-AUTH=CRAM-MD5 Kerberos-v5 P: 250 DTRN C: AUTH CRAM-MD5 P: 334 MTg5Ni42OTcxNzA5NTJASVNQLkNPTQo= C: Zm9vYmFyLm5ldCBiOTEzYTYwMmM3ZWRhN2E0OTViNGU2ZTczMzRkMzg5MAo= P: 235 now authenticated as foobar.net C: DTRN foobar.net P: 250 OK will open new connection ... C: 220 foobar.net mail server ready P: EHLO ISP.COM C: 250 CHAL=CRAM-MD5 Kerberos-v5 P: CHAL CRAM-MD5 <1896.697170683@foobar.net> C: 250 SVNQLkNPTSBhODcyYjMwNGE0YmNkM2I1ODdhMmJjZDkzODQ3Mzg0OQo= P: MAIL FROM Drawbacks: requires a total of three new commands (AUTH, DTRN, and CHAL). The customer is potentially sending its ID and the challenge result to anybody who connects, which makes the customer's secret susceptible to an offline dictionary attack, without the need of intercepting any traffic (better authentication mechanisms could be deployed which would avoid this problem; also, the customer can check the IP address to ensure it is within the provider's network; the customer could also require that the provider's server authenticate before issuing the CHAL). The CHAL command is a bit strange. Advantages: the same authentication code and database can be used for both AUTH and CHAL. The provider is assured it is talking to the correct system. The first authentication (before the DTRN) could be made optional. 7. The On-Demand Mail Relay service, as proposed here. Drawbacks: requires customer's server to open an additional connection if it has mail to send and wants to send and receive at the same time; requires provider's process to be able to process queue within reasonable time period (to avoid timeout on TURN). Advantages: avoids the architectural difficulty of TURN on port 25, since the on-demand relay server does not need to be a full mail server, but instead essentially an SMTP client which accepts a few specific commands; few additional round-trips. The method proposed in this memo (the On-Demand Mail Relay service) seems to offer the best trade-offs among security, extensibility, simplicity, and deployability of the alternatives explored. Gellens Expires May 1998 [Page 9] Internet Draft On-Demand Mail Relay November 1997 6. Security Considerations Because access to the On-Demand Mail Relay server is only useful with a prior arrangement between the parties (so the provider is the target of MX records for the customer's domains and thus has mail to relay), it may be useful for the provider to restrict access to the On-Demand Mail Relay port. For example, a TCP wrapper or firewall could be used to block access to port xxxx except within the provider's network. This might be useful when the provider is the customer's ISP. Use of such mechanisms does not reduce the need for the AUTH command, however, but can increase the security it provides. Use of SASL in the AUTH command allows for substitution of more secure authentication mechanisms in the future. See sections 3.1.2. and 3.2.1. for additional security details. 7. Acknowledgments This draft has been developed in part based on comments and discussions which took place on and off the IETF-disconn-smtp mailing list. 8. References [ESMTP] Klensin, J., Freed, N., Rose, M., Stefferud, E., and D. Crocker, "SMTP Service Extensions", RFC 1869, STD 10, November 1995, [ETRN] De Winter, J., "SMTP Service Extension for Remote Message Queue Starting", RFC 1985, August 1996, [KEYWORDS] Bradner, "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997, [SASL] Myers, J., "Simple Authentication and Security Layer (SASL)", (work in progress), [AUTH] Myers, J., "SMTP Service Extension for Authentication", (work in progress), Gellens Expires May 1998 [Page 10] Internet Draft On-Demand Mail Relay November 1997 [SMTP] J. Postel, "Simple Mail Transfer Protocol", RFC 821, STD 10, August 1982, [CODES-EXTENSION] Freed, N., "SMTP Service Extension for Returning Enhanced Error Codes", RFC 2034, October 1996, [SMTP-CODES] Vaudreuil, G., "Enhanced Mail System Status Codes", RFC 1893, January 1996, 9. Author's Address Randall Gellens +1.619.651.5115 Qualcomm, Inc. +1.619.651.5334 (fax) 6455 Lusk Blvd. Randy@Qualcomm.Com San Diego, CA 92121-2779 U.S.A. Gellens Expires May 1998 [Page 11]