2

In RFC 821, it says that a reset (RSET) command can be sent after a DATA command and some mail data has been sent:

However, what distinguishes between a mail client sending an RSET command after DATA, and a mail that contains the word "RSET" on a line by itself?

I've checked RFC 5321 as well and I can't see anything that would mitigate or escape this. It does talk about escaping a mail line which starts with a ".", but not "RSET".

The client cannot terminate the mail data transfer with a period on a line by itself or the server will send the partial mail it has been given.

I imagine there's something I've missed in the RFCs, otherwise I can't help thinking that there's either an SMTP command injection attack vector in many implementations, or no-one can ever send a mail with "RSET" on a line by itself (I think people would have noticed).

Community
  • 1
  • 1
Trevor
  • 1,251
  • 1
  • 9
  • 11

2 Answers2

3

The keyword here is after I believe. The DATA command is in progress until it is finished with a lone . on a line.

tripleee
  • 175,061
  • 34
  • 275
  • 318
  • Correct. Once you start a `DATA` command, you cannot abort it except to drop the connection. – jstedfast Dec 18 '18 at 14:31
  • Fair enough, except that the RFC states for `RSET` that "Any stored sender, recipients, and mail data must be discarded". If `RSET` cannot be used between `DATA` and `.`, and the `.` will end the mail transaction and send the mail, in what situation would `RSET` ever have mail data to discard? – Trevor Dec 18 '18 at 14:39
  • 1
    Probably this is why this passage was removed from 5321. You'll notice that 5321 indirectly supersedes 821 (via 2821). – tripleee Dec 18 '18 at 14:42
  • @tripleee – [RFC 5321 § 4.1.1.5 (RSET)](https://tools.ietf.org/html/rfc5321#section-4.1.1.5) states "any stored sender, recipients, and mail data MUST be discarded" so it at least survives there. See also [my answer](https://stackoverflow.com/a/53839085/519360). – Adam Katz Dec 18 '18 at 18:32
1

RFC 5321 § 4.1.1.5 (RSET) states "any stored sender, recipients, and mail data MUST be discarded." This refers to the MAIL FROM, RCPT TO, and presumably DATA commands.

However, upon receiving the . following DATA, the message "MUST" be delivered (which may result in a failure but not a partial failure, see § 4.1.1.4). This clears the buffer of everything RSET is supposed to do.

This means RSET merely elicits a 250 OK response from the receiving server (a keep-alive, much like NOOP) and confirms to the sender that there is indeed no saved sender or recipient queued for the next message.

I do not know of a way to interrupt a DATA command to issue a RSET. The only way I know of to do that is to terminate the connection and establish a new one—and, just to be safe in the case of some odd resumption capability, I'd issue an RSET right after the EHLO or HELO (which the spec says is a NOOP). If there were such a way, it should be in RFC 5321 § 4.1.1.4, § 4.1.1.5, and/or § 3.3.

Community
  • 1
  • 1
Adam Katz
  • 14,455
  • 5
  • 68
  • 83