previously on this list Kevin Chadwick contributed: > With STARTTLS I believe there is a clear text race where an attacker can > create a response stating STARTTLS is unsupported resulting in > cleartext transmission which I believe would not be the case for smtps.
If as I guess there isn't any good solution? Would it be an idea and how much effort would it be to track servers supporting STARTTLS and refuse plain text in the future. Or is it enough to know a request for STARTTLS means that an IP supports STARTTLS for a short period? -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd _______________________________________________________________________ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
