On Wed, May 05, 2010 at 07:27:46PM +0100, Kevin Chadwick wrote:
> Of course, if it's your mail server and clients you can use ips without
> dns have certficates tied to those ips and even block or monitor resets,
> none of which can be done with starttls and it is also a smaller window
> of opportunity. You can always reset the starttls too and man in the
> middle that, just one less opportunity.
> 

If it's your mail server and clients you can just force certificate
checking on the hosts you want to connect to with tls. Using a different
port adds no cryptographic security (authentication) at all, so it's
useless complexity.

Reply via email to