Should we request a TLS ALPN identifier?
- Section 5 "Applicability Statement" lists "SMTP traffic".
- Section 3.8 "Application-Layer Protocol Negotiation" says that the TLS
must support - but nothing is said about the application layer actually
Implementing a defensive-only ALPN check (refusing a TLS startup, as
server, if anything but the obvious choice of "smtp" is offered as a
requested ALPN by the client) is not hard coding for either OpenSSL
or GnuTLS. Locking out retries with downgrade to cleartext would be
more effort, but perhaps not relevant as a defence against the ALPACA
In client MTA mode I'd expect the coding to make an ALPN request to
be similarly simple. Administrative controls for
would probably be more work than just the library interface.
ietf-smtp mailing list