From: Lutz Jaenicke (lutzlutz-jaenicke.de)
Date: Thu Feb 01 2007 - 04:51:03 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Victor Duchovni wrote:
> On Wed, Jan 31, 2007 at 04:14:52PM -0200, Pedro Lamar?o wrote:
>
>
>> First off, I'm sorry to post this rather offtopic question.
>> I searched Google Groups for a USENET group specific to SMTP and found none.
>>
>> I've just read RFC 2487 and was left wondering exactly when is STARTTLS
>> allowed.
>> The obvious use case is to use it just after the TCP connection was
>> established, when the session is at the "initial" state.
>> But is it allowed after MAIL, when the session is at the "envelope" state?
>> Is it allowed after RCPT during the "envelope" state?
>> (This state terminology is mine, sorry if it is too confusing; I'm
>> trying to build a "state machine" picture out of the protocol.)
>>
>> The RFC merely states that, after STARTTLS handshaking completes, the
>> connection goes back to the "initial" state and a HELO or EHLO must be
>> issued.
>>
>
> With SMTP, "STARTTLS" is allowed only between "EHLO" and "MAIL",
> and only if the server's ESMTP EHLO response includes "250-STARTTLS"
> (or ends with "250 STARTTLS").
>
>
STARTTLS is allowed even if no 250 STARTTLS was sent. A "man in the middle"
might have modified the EHLO response sent by the remote MTA.
Thats one of reasons why the EHLO response MUST be discarded after
STARTTLS (the other one being that a different feature set may be valid
now.

Best regards,
    Lutz

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]