STARTTLS and sp*m
S.P.Zeidler
spz at serpens.de
Wed Apr 16 23:31:42 CEST 2008
Hi,
Thus wrote Tim (tim-projects at sentinelchicken.org):
[...]
> I've performed my share of MitM
> attacks, and in this particular protocol there are several very
> effective strategies if the end points try to be forgiving about
> STARTTLS support.
[...]
and some are entirely unintentional. Pix, inspect smtp, aaaaargh!
FWIW, in my own little pond I have my own little CA for mail, and if a
host speaks STARTTLS -and- verifies, they may relay, and they are exempt
from any other checks (for spammyness).
This doesn't extend well to other ponds that do the same though, a map
that gives client certificate to use for destination server would help
here.
regards,
spz
--
spz at serpens.de (S.P.Zeidler)
More information about the ipv6-ops
mailing list