On Tue, 9 Oct 2007, Jo Rhett wrote: > On Oct 9, 2007, at 4:22 PM, Chris Edwards wrote: > > Your server then enforces encryption and SMTP-AUTH, and the SSL will > > (hopefully) defeat any man-in-the-middle attacks by trans-proxies. > > That's exactly the problem I am reporting. A lot of mail clients > don't enforce SSL connections, so man in the middle is silently > accepted. Only T-bird can be configured to not work any other way, > TTBOMK.
Jo you didn't read Chris's statement closely. A conscientious mail server administrator will configure the SERVER to -ONLY- accept encrypted connections for SMTP-AUTH transactions; the server should enforce the encryption requirements. Thus it does not matter what the client wants to do, the server should not let the client continue the SMTP-AUTH transaction until it has completed the STARTTLS operation (or in the case of SMTPS, it's already encrypted). Back to Skip's question, possibly the easiest way to solve his problem would be to run two SMTP servers, one on port 25 with full spam/AV scanning for regular mail traffic, one on ports 587 & 645 with SMTP-AUTH/TLS for his users' clients to submit messages, on that one have AV scanning and possibly limited spam scanning. -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{