Re: request discussion of two documents on SMTP relaying

At 14:57 +0100 on 06/16/2005, Tony Finch wrote about Re: request 
discussion of two documents on SMTP relaying:
> On Thu, 16 Jun 2005, Keith Moore wrote:
> >  If I'm not mistaken, TLS does protect against impersonation of a server,
> >  because part of what is used to derive the encryption key is signed with the
> >  server's private key, and the client checks the server certificate using the
> >  CAs' keys that the client already knows about.  Granted this is of little
> >  value if the user gets a popup message that says "we can't validate the
> >  server's key, should we trust it anyway?" and says yes without stopping to
> >  think about whether a MitM attack might be possible.
> It is unfortunately common for email client software to silently fall back
> to insecure submission if TLS or AUTH fail in any way
I use Macintosh Eudora (although the Windows version acts the same) 
where when I request an SSL (ie: TLS) session I can designate the SSL 
as REQUIRED (as opposed to Optional [ie: Use if offered in the ESMTP 
220 message]). Thus a failure drops the session. I think other MUAs 
also offer this option. I know that this does not affect the use of 
ESMTP AUTH on Port587 (or Port25) unless the MUA has a Required 
Option for that (which I know the Outlook based MUAs do in their 
Advanced Menus).
Note: The documents talk about using TLS on the MSA Port587 although 
it was my impression that aside from Port25, TLS is (per the 
Well-Known-Port List) associated with the SMTP-over-SSL Port465.
> Tony.
> --
> f.a.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
> BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
> GOOD.

!3a-( Sad.gif
Description: GIF image