|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [offtopic] When is STARTTLS allowed?
From: Victor Duchovni (Victor.Duchovni
MorganStanley.com)
Date: Thu Feb 01 2007 - 10:27:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Feb 01, 2007 at 11:51:03AM +0100, Lutz Jaenicke wrote:
> > With SMTP, "STARTTLS" is allowed only between "EHLO" and "MAIL",
> > and only if the server's ESMTP EHLO response includes "250-STARTTLS"
> > (or ends with "250 STARTTLS").
> >
> STARTTLS is allowed even if no 250 STARTTLS was sent. A "man in the middle"
> might have modified the EHLO response sent by the remote MTA.
> Thats one of reasons why the EHLO response MUST be discarded after
> STARTTLS (the other one being that a different feature set may be valid
> now.
The MITM can also return 450 in response to "STARTTTLS". If there a
man in the middle, queue and retry. I see no justitification for
STARTTLS without a server announcement. Furthermore, section 7 of
RFC 2487 includes this text:
A man-in-the-middle attack can be launched by deleting the "250
STARTTLS" response from the server. This would cause the client not
to try to start a TLS session. An SMTP client can protect against
this attack by recording the fact that a particular SMTP server
offers TLS during one session and generating an alarm if it does not
appear in the EHLO response for a later session. The lack of TLS
during a session SHOULD NOT result in the bouncing of email, although
it could result in delayed processing
Nothing here about sending "STARTTLS" when it is not offered, rather the
opposite is implicit.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]