> Custom implementations are allowed to change anything as long
> as they take out STARTTLS from the re-advertisement in tls mode.
While that is true to the words of the standard, i have already
seen working implementations which continue to announce STARTTLS
even after the session has switched to TLS. Of course we should
be standards compliant here.
> As far as starttls on port 25, the server cannot EVER require
> tls, according to rfc(unless an internal relay),
Yes, but as qpsmtpd might be as well be used for an internal mail
relay, we need to implement the possibility to make TLS mandatory.
> We definitely don't need to deal in the server with how long
> it is until certs expire or if the cert has the correct server
> name etc or has been revoked.
This is only true for our own (server) cert. If we request client
certificates (e.g. for allowing relaying) we would need some way
to determine "valid" certificates.
Regards
Michael
--
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks
