On Wed, May 05, 2010 at 03:30:06PM +0100, Kevin Chadwick wrote: > Do you not think it would be better for mail servers to try ssl on one > port and then plain on port 25 if a rst or timeout occurs. Then it > would be harder for attackers to force falling back to plain and > forcing only tls would be easier. Ugh... If the attacker can modify the EHLO to not include STARTTLS he surely can also send a RST in response to your attempt to connect to another port.
Also, SSL is completely useless without DNSSEC. You just need to spoof the MX records or the A records they point to and you've lost. Current day email just is not secure. It's no use trying to pretend otherwise. Jussi Peltola