On Tue, 9 Oct 2007, Jo Rhett wrote:
> On Oct 9, 2007, at 4:22 PM, Chris Edwards wrote:
> > Your server then enforces encryption and SMTP-AUTH, and the SSL will
> > (hopefully) defeat any man-in-the-middle attacks by trans-proxies.
>
> That's exactly the problem I am reporting. A lot of mail clients
> don't enforce SSL connections, so man in the middle is silently
> accepted. Only T-bird can be configured to not work any other way,
> TTBOMK.
Jo you didn't read Chris's statement closely. A conscientious mail server
administrator will configure the SERVER to -ONLY- accept encrypted
connections for SMTP-AUTH transactions; the server should enforce
the encryption requirements.
Thus it does not matter what the client wants to do, the server should
not let the client continue the SMTP-AUTH transaction until it has
completed the STARTTLS operation (or in the case of SMTPS, it's
already encrypted).
Back to Skip's question, possibly the easiest way to solve his
problem would be to run two SMTP servers, one on port 25 with full
spam/AV scanning for regular mail traffic, one on ports 587 & 645 with
SMTP-AUTH/TLS for his users' clients to submit messages, on that one
have AV scanning and possibly limited spam scanning.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
