On Wed, May 05, 2010 at 03:30:06PM +0100, Kevin Chadwick wrote:
> Do you not think it would be better for mail servers to try ssl on one
> port and then plain on port 25 if a rst or timeout occurs. Then it
> would be harder for attackers to force falling back to plain and
> forcing only tls would be easier.
 
Ugh...
If the attacker can modify the EHLO to not include STARTTLS he surely
can also send a RST in response to your attempt to connect to another
port.

Also, SSL is completely useless without DNSSEC. You just need to spoof
the MX records or the A records they point to and you've lost.

Current day email just is not secure. It's no use trying to pretend
otherwise.

Jussi Peltola

Reply via email to