On 22-May-08, at 10:45 PM, John Peacock wrote:
STARTTLS is not required to happen immediately after EHLO (not
HELO, which doesn't support ESMTP extensions). And yes, you must
completely discard every portion of the SMTP state that has
occurred up to that point (just like with RSET).
The RFC is extremely plain on this point: after STARTTLS has been
sent and negotiated, the MTA must behave as if a completely new
transaction has started (as indeed, it has). The transaction
*must* be reset and all information contained therein must be
thrown away. In practice, there isn't anything there to begin
with, since all of the well-formed MTA's always sent STARTTLS as
soon as practical (i.e. as soon as they see the initial EHLO
banner), if they are going to send it at all.
I don't think we should care so much about the RFCs. If there are
bits in connection notes that might help determining if this is spam
(or some other thing we're trying to detect) before STARTTLS we need
to allow qpsmtpd to keep that information.
Matt.
