David B Funk wrote:
> Jo you didn't read Chris's statement closely. A conscientious mail server
> administrator will configure the SERVER to -ONLY- accept encrypted
> connections for SMTP-AUTH transactions; the server should enforce
> the encryption requirements.
>
This is a religious war declaration or what? ok, let me see what I can
say ;-p
<grin>
A conscien-something admin knows that as is always the case with
encryption, security depends on the implementation (code, environment,
random number generation, ...) and not on the specification. For
example, a conscien-something admin knows about thing like this:
http://www.henlich.de/moz-smtp/
A conscien-something knows that linking a large library like openssl in
an otherwise quite safe MTA adds more opportunities for system
compromise. A conscien-somthing admin prefers to be an open relay than a
zombie.
A conscien-somthing admin knows that it is possible to protect logins
without TLS (if data protection is needed, PGP and S/MIME provide this
end-to-end, something that no server $thing can provide). sure, not all
clients support (secure) authentication methods. but same goes for
STARTTLS (and don't tell me about the obsolete smtps, because
conscien-seomthing admins don't implement obsolete things).
A conscien-something admin knows that unless client certificates are
used, starttls doesn't help against dictionary attacks performed from
botnets (so you can't just block one IP). the same admin knows that
deploying client certificates and/or assisting their users does not come
from free, unless they work in a givernment organization financed by
public taxes (but even then, a conscien-* admin won't spend people's
money so frivoulously).
A conscien-something admin knows that the private key is somewhere on
the system, and that protecting it does not come for free.
And of course, a conscien-something admin can setup an IPSec/ssh/*
tunnel and not care about STARTTLS at all, ... and still feel
consciencious. but maybe not. maybe he should still enforce STARTTLS?
Come on...
</grin>
TLS is nice, but...
> Thus it does not matter what the client wants to do, the server should
> not let the client continue the SMTP-AUTH transaction until it has
> completed the STARTTLS operation (or in the case of SMTPS, it's
> already encrypted).
> Back to Skip's question, possibly the easiest way to solve his
> problem would be to run two SMTP servers, one on port 25 with full
> spam/AV scanning for regular mail traffic, one on ports 587 & 645 with
> SMTP-AUTH/TLS for his users' clients to submit messages, on that one
> have AV scanning and possibly limited spam scanning.
>
Fully agreed.
