On Wed, Jan 14, 2015 at 06:08:16PM -0500, Wietse Venema wrote:
> > The security level for "smtps" should be at least "encrypt" or
> > ideally "secure", though "fingerprint" and "dane-only" might also
> > options. We'd need to rule out "may" so as to avoid plaintext
> > fallback.
>
> That does not seem to be a problem - in "port 465" mode
> the SMTP client can always skip the plaintext handshake.
I think I'll understand the code better than the above sentence...
> I have prelimiary code almost working with little code.
It certainly does not look too scary. Just add a flag to still
expect a 220 banner after TLS, and require a security level of at
least "encrypt", then, as you note, jump right into smtp_start_tls()
bypassing the outer smtp_helo().
--
Viktor.
