ietf
[Top] [All Lists]

Re: IETF mail server and SSLv3

2016-02-05 10:36:59

On Feb 5, 2016, at 11:04 AM, Ned Freed 
<ned(_dot_)freed(_at_)mrochek(_dot_)com> wrote:

As for a delay of < 5 minutes delivering email to such broken sites
it is, for most users, a reasonable trade-off to reduce needless
TLS fallback in the face of routine transmission glitches.

That's a consequence of piggybacking cleartext fallback on the deferral
mechanism you use for transmission failures. It doesn't have to  be done this
way.

Final comment.  Cleartext fallback in Postfix is NOT piggybacked on the deferral
mechanism, in fact until quite recently cleartext fallback was done 
synchronously
during the initial delivery.

And in fact, it is still synchronous now, because the second delivery still 
tries
TLS again (just in case the first failure was a fluke) and then retries in 
cleartext
without extra delay (beyond the time it takes to try and fail TLS).

The new approach is a careful compromise that avoids over-eager cleartext 
fallback
on the first attempt, not because we don't have the code to do it right away, 
but
because we *chose* to delay and try TLS again.

With that, I'm done imposing on ietf(_at_)ietf(_dot_)org in this thread.  Sorry 
about the
noise.

-- 
-- 
        Viktor.