Alexey Melnikov wrote:
I would like suggest an alternative: how about saying
The server MUST NOT trust any information obtained
from the client, such as command verbs and their arguments, prior
> to the TLS negotiation.
The client MUST NOT trust any information obtained from the server,
such as the list of SMTP service extensions,
prior to the TLS negotiation.
This avoid the whole issue of what the client/server must and must not
I don't follow the client MUST NOT trust statement. Is it not suppose
to believe what the server presents for extensions?
S: We supports STARTTLS, AUTH CRAM-MD5
C: Liar!! No you don't, I don't believe you.
I think what you implying is:
The client MUST NOT presume the same server extensions apply
after secured SMTP is established.
This is already discussed (implied) in 3207.
Hector Santos, CTO