Re: [exim] Why is STARTTLS preferred over tls_on_connect_por…

Top Page
Delete this message
Reply to this message
Author: Lars Mainka
Date:  
To: Tony Finch
CC: Exim Users
Subject: Re: [exim] Why is STARTTLS preferred over tls_on_connect_ports?
> Actually the information in the HELO command is completely uninteresting
> to an attacker. The real reason that TLS-on-connect is more secure than
> STARTTLS is because it is more resistant to downgrade attacks. However
> this is mostly to do with the bad quality of implementation of most SMTP
> clients - they encourage users to make security optional rather than
> required, which makes the attacker's job much easier.


If STARTTLS is used as it should be, in example using strong certificate verifying, checking
encryption within the connection, strong authentication methods, denying weak ciphers and so on, you
should be as secure as with tls_on_connect.

Unfortunately the handling of the TLS/SSL implementations in clients are really bad and not
transparent.