View Single Post
Old 17 Oct 2016, 12:57 PM   #305
Junior Member
Join Date: Jan 2010
Location: US, New Jersey
Posts: 22
Originally Posted by brong View Post
I repeat. _it_does_not_matter_. Because an active proxy can rewrite that however it likes, offering SSLv3 only, or offering plaintext only. So the only thing that will stop those being used by an active attacker is senders refusing to send at all in those cases.
The only thing active proxy should be able to do is to remove STARTTLS... If MX _client_ is verifying certificate properly, someone has to steal signed certificate to impersonate _server_ endpoint. Server won't know for sure who is talking to it, unfortunately reverse DNS is not an authentication mechanism...

I am glad, you will go with the flow. And I have no issue with offering only IMAPS/POPS - this is right thing to do.

As for client certificates - I have some reservations... headaches with implementation usually outweigh benefits Biggest issues I deal with are certificate expiration and correct trust chain...

Thanks a lot for your clarifications, appreciate your patience!
dgcom is offline   Reply With Quote