Matus UHLAR - fantomas writes:
>Alessandro Vesely writes: >>An intermediate approach could be to have a "starttls-something" database>>anyway, where each host's entry contains the state of the last handshake, any>>of "known CA", "auto-trusted" with fingerprint and dates, or "broken", with >>suitable rules for state changesOn 03.11.11 20:48, Sam Varshavchik wrote: >Well, Courier does have something similar, an optional way to force >all mail to a known domain to use TLS, and use a certificate with a >verified signature. > >But this is purely opt-in. That's why I'd like make it possible to opt-out. Simply: make it temporary error when TLS fails.
Actually, in this case it will NOT fail.The failures that you're talking about are mainly caused by incompetent idiots running an incompetent mail server made by Microsoft, with an incompetent point-and-click configuration interface that lets you turn on the "enable TLS" checkbox, but without uploading your certificate, and the incompetent mail server actually advertising STARTTLS, but without having an actual certificate at hand. So, when you take up on its offer to initiate TLS, only then it figures out that it does not have a cert, and barfs.
In this case, this setting is Courier-specific, so you will never run into that situation. If Courier does not have a cert, it's not going to advertise STARTTLS.
pgpjlveAIHajm.pgp
Description: PGP signature
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
