On Mon, 25 Nov 2002 19:44:06 +0530 Sunil Shetye
<shetye(_at_)bombay(_dot_)retortsoft(_dot_)com> wrote:
I think, STARTTLS is only used when connecting to the imap port. There
is no question of using other ssl protocols here. When connecting to
the simap port, STARTTLS is not used at all. There are two disjoint
cases.
Yes.
That's bad. STARTTLS is good because it does not need any configuration
on a client side, and it would be nice if it was used when STARTTLS/STLS
is in capabilities - communications would be more secure by default.
IMO, it is better to specify sslproto explicitly. Otherwise, this is
equivalent (conceptually) to trying to connect to simap port first
when protocol is imap just to have more security by default. If the
option 'ssl' is explicitly required to connect to simap port, then the
option 'sslproto tls1' too should be explicitly required to use
STARTTLS.
No, it is not equivalent IMO. If server advertises STARTTLS/STLS, we _should_
try to use it. It is not the same as trying to connect to another port first
- the server actually advertises STARTTLS when logging normally, as one
of authentication methods, so we use it. Confusion probably arises because
fetchmail does not make a lot of distinction between ssl and tls1 methods,
while there is - ssl uses another port and methods, while tls1 uses the same
imap/pop3 port and the beginning of the authentication is in clear text.
Regards,
Nerijus