[Imap-protocol] Pipelined commands before completion of STARTTLS
murch at andrew.cmu.edu
Tue Mar 8 12:25:18 PST 2011
Pursuant to http://www.kb.cert.org/vuls/id/555316
I was wondering what the proper server behavior should be if a client
sends commands between STARTTLS and the server response. RFC 3501
states that this is a client MUST NOT but doesn't discuss how the server
should handle it.
I can see two possibilities (maybe there are others):
1. Send a BAD response if a command is pipelined after STARTTLS. Should
BAD be sent in response to STARTTLS or the following command?
2. Ignore the pipelined cleartext commands.
- Should this be done regardless of whether TLS is negotiated successfully?
- Can/Should the connection be immediately terminated?
- Should the behavior be any different for POP3, NNTP, SMTP/LMTP?
Principle Systems Software Engineer
Carnegie Mellon University
More information about the Imap-protocol