[Top] [All Lists]

Re: [ietf-smtp] guidance on how to secure against sniffing and paid backdoors

2013-09-14 09:32:57
Timo Sirainen <tss(_at_)iki(_dot_)fi> writes:
I've been considering an SMTP client extension (especially for
submission clients) where they can require that the mail be delivered
via TLS, and have the server reject/bounce it if that's not possible.

This is exactly how EAI makes sure mail doesn't leave the subset of MTAs
that support EAI, and AFAICT it works. For the few people who have EAI
deployed, I mean.

I like it. Some naysayers will tell you it's worthless because it only
guards against snooping (and perhaps MITM attacks to some degree), not
against subverted MTAs or MUAs. Don't listen to them. Snooping is the
only attack that scoops up many, many people's email with O(1) effort
for the attacker, so a mechanism that stops snooping forces up the
attacker's cost drastically.

ietf-smtp mailing list