Re: Try next MX on a STARTTLS handshake error?
At 17:56 -0700 on 04/20/2007, Carl S. Gutekunst wrote about Try next
MX on a STARTTLS handshake error?:
When a client MTA tries to perform TLS authentication on a server
MTA, and the authentication fails, should the client MTA move on to
the next MX host, or give up?
I'm struggling with trying to decide if this is correct behavior or
not; for some reason it seems intuitively wrong, although I can make
a good argument for it being right.
Which way you go is (at least partly) how you classify the failure to
If you take the tack that you have succeeded if you establish a
connection to the MX, then the failure to authenticate should be a
show-stopper and going on to the next MX should not be done.
OTOH, if you regard the failure to authenticate as a failure to
connect (ie: As if the attempt to connect to the MX itself failed),
then running the MX chain until all MXs are checked or you get one
where there is no failure to authenticate, then keep checking.
IOW: When do you regard the connection as successful - When the MX
responds or when you succeed in doing an authentication of the MX's
certificate (and thus have established a secure session/connection)?