[Exim] Re: TLS Problem

Top Page
Delete this message
Reply to this message
Author: Suresh Ramasubramanian
Date:  
To: exim-users
Subject: [Exim] Re: TLS Problem
+++ Matthew Byng-Maddick [exim-users] <28/12/01 02:22 +0000>:
> If your mailserver offers TLS, does it check the CA on the certificates?
> If not, how does it stop an MitM attack?


It is not foolproof. It however does prevent casual attempts to grab your
traffic and eavesdrop on it.

You want more than that, it has to be negotiated among clients, using PGP,
or whatever else.

> If you read up about ESMTP I think you may be surprised to find that that
> is not how it works. As, I'm sure, you well know, the correct way to do
> ESMTP is to try the EHLO and see if you get back a command unrecognised
> response. If you do, then you say HELO and you fallback to normal SMTP.


That's right. However, it does try EHLO first, and will go ahead with ESMTP
commands.

> As I've said before, if you want to capture the mail, there are generally
> enough other ways, that it doesn't guarantee any sort of privacy.


It is just one further step. You'd have to setup what is essentially a web
of trust among MTAs if you want to go farther than this, server side.

--
Suresh Ramasubramanian <----> mallet <at> efn dot org
EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin