-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bernard Johnson wrote: > When you implement this [STARTTLS], consider: > > -tls = on/off/optional > > on = tls is always on and required > off = tls is always off and not announced > optional = tls is announced and client can use tls or proceed w/o tls
I knew that somebody was going to ask for that (the "optional" flag) :-) My question is, though, why? At least in my environment, if I roll out SMTP AUTH, then I want to make 100% sure that it's running over an encrypted channel so as not to expose passwords. For that reason, I specifically don't want to enable the "optional" value you mentioned on my systems. Is CRAM-MD5 safe even over a plain-text channel? Perhaps that would explain it. AUTH PLAIN certainly isn't... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF4dTmhk3bo0lNTrURAlbUAKDVpnF9UIf62J62MVy0EyYanJoGuQCgio/p h2beVElDMsXBrZwfn16fXb0= =+nki -----END PGP SIGNATURE----- _________________________________________________ tmda-workers mailing list ([email protected]) http://tmda.net/lists/listinfo/tmda-workers
