dma(8): Always send EHLO after TLS negotiation

Daniel Roethlisberger daniel at roe.ch
Sat Jan 17 10:35:56 PST 2009


The attached patch fixes dma(8) to issue EHLO again after
STARTTLS.  Some MTAs require EHLO to be issued after STARTTLS and
will refuse RCPT TO directly following STARTTLS.

dma(8) currently only issues EHLO after negotiating TLS if
port-465-style SMTPS (no STARTTLS) was configured.  However,
since the server is required to discard any knowledge obtained
from the client previously, EHLO should be issued again after
STARTTLS.  The relevant passage from RFC 3207:

4.2 Result of the STARTTLS Command

   Upon completion of the TLS handshake, the SMTP protocol is reset to
   the initial state (the state in SMTP after a server issues a 220
   service ready greeting).  The server MUST discard any knowledge
   obtained from the client, such as the argument to the EHLO command,
   which was not obtained from the TLS negotiation itself.  The client
   MUST discard any knowledge obtained from the server, such as the list
   of SMTP service extensions, which was not obtained from the TLS
   negotiation itself.  The client SHOULD send an EHLO command as the
   first command after a successful TLS negotiation.

   [...]

-- 
Daniel Roethlisberger
http://daniel.roe.ch/
--- libexec/dma/net.c.orig	2008-09-30 19:47:21.000000000 +0200
+++ libexec/dma/net.c	2009-01-17 19:02:43.000000000 +0100
@@ -342,14 +342,10 @@
 				it->queueid);
 		else
 			goto out;
-	}
-
-	/*
-	 * If the user doesn't want STARTTLS, but SSL encryption, we
-	 * have to enable SSL first, then send EHLO
-	 */
-	if (((config->features & STARTTLS) == 0) &&
-	    ((config->features & SECURETRANS) != 0)) {
+		/*
+		 * The client SHOULD send an EHLO command as the
+		 * first command after a successful TLS negotiation.
+		 */
 		send_remote_command(fd, "EHLO %s", hostname());
 		if (read_remote(fd, 0, NULL) != 2) {
 			syslog(LOG_ERR, "%s: remote delivery deferred: "




More information about the Submit mailing list