[Top] [All Lists]

Re: Try next MX on a STARTTLS handshake error?

2007-04-20 23:37:52

At 17:56 -0700 on 04/20/2007, Carl S. Gutekunst wrote about Try next MX on a STARTTLS handshake error?:

When a client MTA tries to perform TLS authentication on a server MTA, and the authentication fails, should the client MTA move on to the next MX host, or give up?


I'm struggling with trying to decide if this is correct behavior or not; for some reason it seems intuitively wrong, although I can make a good argument for it being right.

Which way you go is (at least partly) how you classify the failure to authenticate.

If you take the tack that you have succeeded if you establish a connection to the MX, then the failure to authenticate should be a show-stopper and going on to the next MX should not be done.

OTOH, if you regard the failure to authenticate as a failure to connect (ie: As if the attempt to connect to the MX itself failed), then running the MX chain until all MXs are checked or you get one where there is no failure to authenticate, then keep checking.

IOW: When do you regard the connection as successful - When the MX responds or when you succeed in doing an authentication of the MX's certificate (and thus have established a secure session/connection)?

<Prev in Thread] Current Thread [Next in Thread>