On Thu, 6 May 2010 03:21:02 +0300 Jussi Peltola <pe...@pelzi.net> wrote:
> On Wed, May 05, 2010 at 07:27:46PM +0100, Kevin Chadwick wrote: > > Of course, if it's your mail server and clients you can use ips without > > dns have certficates tied to those ips and even block or monitor resets, > > none of which can be done with starttls and it is also a smaller window > > of opportunity. You can always reset the starttls too and man in the > > middle that, just one less opportunity. > > > > If it's your mail server and clients you can just force certificate > checking on the hosts you want to connect to with tls. Using a different > port adds no cryptographic security (authentication) at all, so it's > useless complexity. > Sorry, been away, you can use authpf for authentication and even a ssh tunnel for privacy. The main points are that connecting via starttls is like waving a flag saying I am going to connect again via ssl soon, when you could just connect once, (less of a problem for OpenBSD connections). Also some clients like iphones for example try ssl and fall back to plain. Using a separate port also means a user has more options to be sure of a ssl connection (desktop firewall, almost any mail client config etc.). I was wondering what advantages does using port 25 alone have in the light of reading Yahoo being criticised for not following the standard. KeV