I have started digging after your response, and they are sending ID! But
they are sending ID before authentication, our IMAP proxy seems to be
dropping ID command if user is not authenticated.
It applies for:
com.android.email
com.google.android.gm
com.samsung.android.email.provider
com.huawei.email
RFC says:
Since this command includes arbitrary data and does not require the
user to authenticate, server implementations are cautioned to guard
against an attacker sending arbitrary garbage data in order to fill
up the ID log. In particular, if a server naively logs each ID
command to disk without inspecting it, an attacker can simply fire up
thousands of connections and send a few kilobytes of random data.
Servers have to guard against this. Methods include truncating
abnormally large responses; collating responses by storing only a
single copy, then keeping a counter of the number of times that
response has been seen; keeping only particularly interesting parts
of responses; and only logging responses of users who actually log
in.
So that behavior seems legitimate, but in my opinion ID should be sent
after authenticating.
Thanks.
On 2020-07-30 17:50, Marcel Becker via mailop wrote:
On Thu, Jul 30, 2020 at 7:07 AM Edgaras Lukoševičius via mailop
<mailop@mailop.org <mailto:mailop@mailop.org>> wrote:
It would be nice if Gmail App (Android, iOS), as well as Gmail
Webmail would identify themselves by sending ID:
https://tools.ietf.org/html/rfc2971
<https://urldefense.com/v3/__https://tools.ietf.org/html/rfc2971__;!!Op6eflyXZCqGR5I!VRs1keByG7n7Q3TG9peS9UQ2OIEAPKb1dttbFVOiAqHu2r33i9D3FZ3SZmaatJN51o5tUto$>
I have noticed that Gmail is not doing that. Also Samsung Mail App
is not doing that, and a few minor MUAs.
I could swear we see Samsung and Gmail (at least Android) come in with
an ID command.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
