Jerry Amundson wrote: > On 5/15/08, Aidas Kasparas <[EMAIL PROTECTED]> wrote: >> Sam Varshavchik wrote: >>> Aidas Kasparas writes: >>> >>>> I do not have arguments why courier should not fallback in 454 cases >>>> [remember "be liberal at what you accept" internet principle?]. >>> Because any 4xx SMTP error code means exactly that: "try again later", >>> not "try something else entirely, which is less secure". > [snip] >> Therefore, I would agree that fallback to plain ESMT from 354 is >> "slightly less private" but no "less secure". But, we MUST NOT relay on >> that privacy which STARTTLS offers, therefore I see no problem doing >> fallback (with exception when STARTTLS is explicitly requested). > > Wrong. A breach of "privacy" is a breach of "security". Period.
For "real privacy" and "real security" only. In my previous mail I explained why STARTTLS (without explicit configuration for peer) is no more than "convenience" that random tcpdump user is unable to see communication without efforts. Nothing more. Even more, believing that STARTTLS provides real privacy out of the box is false. And it should be dealt with as with any other false sense of security. > Delivery should be done within the confines of what the session has > negotiated - no more, no less. "Successfully negotiated" :-) Receiving 454 is an indicator of failed negotiation in my book. -- Aidas Kasparas IT administrator GM Consult Group, UAB ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
