-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected]>, Jeremy Harris <[email protected]> writes
>So much for encouraging people to actually use security. There's a difference between "encouragement" and subtly breaking existing configurations without even a mention in the Fine Manual (or the upgrade instructions). On balance I don't think you should ever break existing systems at all without a compelling security case (or perhaps, with a view to simplifying the codebase, by upgrading legacy warnings to errors if they have been present for a considerable number of revisions). Note that for many people STARTTLS is either irrelevant (their threat model does not encompass network layer attackers) or insufficient (because of MiTM attacks, downgrades etc). That is, I don't think this security case is currently so compelling that failure to force its use would be negligent. BTW: I consulted folks yesterday evening, and Yahoo's mail system is very closely based on a extremely widely deployed MTA -- and so the expectation is that they will not have been far from alone in failing to deliver email to my upgraded system over the past few days :-( Fixes along the lines being discussed seem sane -- changing the default back, but also producing a warning when Exim starts that more security could be achieved by adding a certificate and changing the config. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a Benjamin little temporary Safety, deserve neither Liberty nor Safety. Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBVx9B4Tu8z1Kouez7EQIEzwCggEoZmcfM59zDANpOex0LyQg543AAoLjA MaGCnJ5SSbKSq2Q2OnVH0HUg =qFA2 -----END PGP SIGNATURE----- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
