Hi, On Sat, Nov 05, 2005 at 12:48:55AM +0100, Matthias Wimmer wrote: > > Out of that context, I think another interesting problem is this: > > Think of two servers A and B, that require a SASL authenticated > connection. (No matter which one enforces this, or if both servers > enforce this.) > > B trusts the certification authority of A, therefore A can deliver > stanzas to B. [EMAIL PROTECTED] can send a message to [EMAIL PROTECTED]
Shouldn't A refuse to send to B because B is unable to authenticate itself? My reading of the RFC (section 4.3) is that both ends must authenticate themselves, not just the server which initiates the connection. This makes sense because A shouldn't be sending messages to a potential imposter. Brian
