On Thu, May 24, 2001 at 08:56:21AM -0600, Lynn Winebarger wrote:
>
> I would like to only allow auth after tls is started. It doesn't look
> like the current smtpd-auth patch does that.
> According to RFC 2487,
> The client
> MUST discard any knowledge obtained from the server, such as the list
> of SMTP service extensions, which was not obtained from the TLS
> negotiation itself.
> so that, theoretically, you could just not list AUTH until after a
> successful STARTTLS. It appears the easiest way to do this in qmail would
> be to just duplicate the array of SMTP commands, with the initial one
> lacking AUTH (this also appears the most foolproof way).
That doesn't make sense. AUTH is available without STARTTLS, so no sense in
hiding it before STARTTLS.
> Does anyone know of widely used clients that don't conform to this part
> of the RFC?
RFC says "the client MUST discard...", not "the merver MUST NOT offer ...
before STARTTLS".
--
* Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de *
* Roedingsmarkt 14, 20459 Hamburg, Germany *
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
