On 2/8/15 4:44 PM, Hanno Böck wrote: > On Sun, 08 Feb 2015 16:39:17 -0500 > Justin Vallon <justinval...@gmail.com> wrote: > >> AUTH is only allowed under SSL. Mail can only be sent (relayed) after >> AUTH. Therefore, if the MITM prevents the client from STARTTLS'ing, >> the server will not allow mail to be sent. Unencrypted mail will not >> be sent. > The attacker can speak STARTTLS to the server and plain text to the > client. And has a full MitM-attack. I see. So, the client needs to require SSL (and be speaking to host=$MAILHOST), and the option "STARTTLS if advertised" is worse than insecure, as it can be easily defeated and gives a false sense of security, as you have demonstrated.
-- -Justin justinval...@gmail.com
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
