On Tue, 15 Oct 2013, Viktor Dukhovni wrote:
> Also keep in mind that SMTP use of TLS is almost universally
> *opportunistic*, TLS is used without authentication when possible,
> and plaintext is used otherwise or as a fallback when TLS handshakes
> fail (at least in Postfix).
Whilst opportunistic TLS dominates in SMTP, I believe that it is
not "almost universal", at least if you include 587/submisison and
465/smtps as well as 25/smtp.
Breaking opportunistic TLS is not good, but the message was
available in plain at any intermediate hub so any sensitive
message should have been encrypted anyway.
I believe that most mail administrators enable TLS to protect
authenticated submission from MTAs. Features like
server_advertise_condition go some way to ensure that
crypto failure stops authentication and hence the message cannot be
sent. Thus crypto failure creates an immediate and obvious break
in service, not a hidden loss of security.
I do believe that https/tls advice is not necessarily appropriate
for smtp, but I've found it very difficult to find out, or figure
out for myself, what is the correct answer in many cases.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@??? http://www.dpmms.cam.ac.uk/~werdna