On 03/14/2012 04:03 PM, Patrick Ben Koetter wrote:
* Charles Marcus<cmar...@media-brokers.com>:
On 2012-03-14 2:39 PM, Ed W<li...@wildgooses.com> wrote:
I see no reason to *require* encryption on the submission port (RFC
aside).
Unless you prefer that sniffers not be able to see your passwords
crossing the wire in plaintext?
I think "may" is a more appropriate default?
Disagree vehemently.
The RFC on submission is clear about that. It says SHOULD and not MUST. It is
safe to AUTH if you use cram-md5, digest-md5, ntlm or any other non-plaintext
mechanism. Forcing TLS by default is safer, but it pushes a policy on people
the SHOULD decide themselves, I think.
I agree with Charles: the defaults should be as safe as possible, but
adjustable in the rare case that the administrator has some idea what
he's doing.
