>> - Some ambiguity about when the REQUIRETLS extension should be >> advertised. The draft had assumed that it would be advertised on any >> EHLO response, even before STARTTLS had occurred. > > Doesn't that open up a denial of service vulnerability, where an attacker > can make a client incorrectly think a server requires TLS.
Please note that REQUIRETLS is something that the client requests from the SMTP server, not vice versa. /rolf _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
