On Tue, Nov 07, 2000 at 08:59:58PM +0000, Philip Hazel wrote:
> > I unfortunately haven't had the time to look at the SSL support that's in
> > exim now, and it may be able to do SSL directly on the ssmtp port, without
> > the unneeded STARTTLS stuff.
>
> It *needs* STARTTLS, not only because the RFC says so, but so that Exim
> knows to call the OpenSSL library function which does the server end of
> a TLS session negotiation. If the client just starts negotiating without
> sending STARTTLS, what Exim sees is invalid SMTP commands...
I very well understand that.
I just never saw the point of STARTTLS when you can run another instance of
the daemon on a different port, the SSL port, where you know that you will
only get SSL connections.
Don't take me wrong, it's a good thing that exim supports it since netscape
requires it and I'll be able to get rid of the aweful stunnel hack I have.
I didn't know if the new exim code had a flag to negociate SSL right away,
and it seems not from what you say, but that should be trivial to add.
People would use this by running a different instance of exim on port ssmtp
(465), like I currently do with an stunnel wrapper.
I don't know much about SSL mailers other than netscape, but I read that
some MUAs that supported SMTP/SSL pre that STARTTLS RFC (which includes
netscape 3.x) just talk SSL on port 465.
pops and imaps work fine without STARTTLS too :-)
While I don't know the details, I've always wondered if STARTTLS was a
netscape ploy to make people buy their SSL capable MTA solution as no MTAs
were STARTTLS capable when netscape 4.0 came out, and STARTTLS by design
prevents the use of an SSL wrapper (the stunnel STARTTLS hack is really
really ugly :-p)
Marc
PS: I got your other mail with configuration tweaks for mailman. I'm
currently working on this. I'll report back soon (Thanks BTW)
--
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page:
http://marc.merlins.org/ | Finger marc_f@??? for PGP key