> Ugh... > If the attacker can modify the EHLO to not include STARTTLS he surely > can also send a RST in response to your attempt to connect to another > port. > > Also, SSL is completely useless without DNSSEC. You just need to spoof > the MX records or the A records they point to and you've lost. > > Current day email just is not secure. It's no use trying to pretend > otherwise. > > Jussi Peltola >
Of course, if it's your mail server and clients you can use ips without dns have certficates tied to those ips and even block or monitor resets, none of which can be done with starttls and it is also a smaller window of opportunity. You can always reset the starttls too and man in the middle that, just one less opportunity.
