On 2/8/15 4:25 PM, Hanno Böck wrote: > On Sun, 08 Feb 2015 15:55:27 -0500 > Justin Vallon <justinval...@gmail.com> wrote: > >> I am on this list for courier-imap, but I use postfix for SMTP. >> Postfix has an option to only allow auth over under SSL >> (smtpd_tls_auth_only=yes # only allow auth under ssl). >> >> So, I believe this can be enforced on the (Postfix) server-side. Is >> there an equivalent for courier smtpd? > There is, but that's not the point. The attacker can still intercept > the connection. It needs to be enforced on the client as well. > What needs to be enforced by the client? (Conversely, what can the client do incorrectly?)
AUTH is only allowed under SSL. Mail can only be sent (relayed) after AUTH. Therefore, if the MITM prevents the client from STARTTLS'ing, the server will not allow mail to be sent. Unencrypted mail will not be sent. The MITM can (still) perform denial-of-mail-service attack. -- -Justin justinval...@gmail.com
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
