On 13/02/18 17:03, Viktor Dukhovni wrote: > Sorry, you're right, the client has to enforce TLS, whether implicit > or not. Some clients try multiple ports and multiple operating modes, > so might also try port 25 in the clear, 465 with TLS and 587 with or > without STARTTLS. Such clients are subject to MiTM. The server > should also insist on TLS, to better train its clients, but the > primary burden to ensure security is on the client.
Right and here you're referring to the auto-configuration feature on most modern clients. If a server is correctly configured to not allow plain text authentication in any means but a client's auto-configure picks up a working auth on a plain text connection then it would seem to me that a MITM is active. This would become apparent as soon as the plain text connection is attempted when the MITM is no longer there, though as the auto-configured settings would be saved. The main difference between this and the previously-mentioned opportunistic STARTTLS that older clients offer is that those older clients will fall back to plain text at any given time, not just during auto-configuration. This makes the attack vector more dangerous, imo because it would not become apparent to the user that anything is wrong when this happens or when the MITM goes away, it would all appear to just work normally the entire time. Peter