Michael Holzt wrote:
So in my opinion you are wrong. Adding SMTP AUTH after HELO is not in violation of any RFC. It is just not mandatory.
RFC-1425, SMTP Service Extensions, describes the standard way to extend the SMTP protocol. The client signals that it might want to use extensions by initiating the SMTP session with EHLO; the server (if it supports any extensions) then replies with a multi-line list of supported extensions. The language in the first paragraph of Section 4 states that any client which supports extensions /should/ begin with EHLO. AFAICT, the only reason this isn't expressed as an absolute requirement (i.e. 'must') is that all SMTP clients are required to support plain HELO handling anyway, and so the client is free to use the lower-grade protocol (if it wants to) at the beginning of the conversation.
The whole design of Service Extensions is in the form of a negotiation between server and client. By your reasoning, there is no valid purpose to support EHLO at all, since the client can just bang away on the server and try all possible extensions until it finds one it likes. This is not good design, obviously. The fact that really old servers are tolerant of bad behavior by really old clients isn't, IMHO, much to recommend ignoring conscious design choices (made, I may point out, 11 years ago).
John
