On 22.08.2017 03:56, Peter wrote:
>>> Lest anyone think STARTTLS MITM doesn't happen,
>>> https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/
> Right, the attack does happen, but it can be prevented by properly
> configuring the server and client.
Dovecot, by default, requires STARTTLS before accepting plaintext
authentication when SSL is configured and you are not connecting from
localhost. You can verify this by telnetting to port 143 from somewhere
else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you
have enabled something like cram-md5.

I think postfix, by default, will also prevent authentication without
transport security.

Also, you should probably using 587/tcp (submission) for sending mail,
instead of 25. Some reputable ISPs prevent connecting to random MX
servers to port 25 to make life harder for spambots.


Reply via email to