Hi Jeremy, > On 08/15/2018 03:55 PM, Valery Smyslov wrote: > > o Following the negotiation of STARTTLS, the SMTP server MUST > > advertise in the subsequent EHLO response that it supports > > REQUIRETLS. > > > > 2. I also have a question regarding the last bullet above - why advertising > > REQUIRETLS is linked with negotiation of STARTTLS? > > It is my understanding that TLS session may be established > > without negotiation STARTTLS (as recommended by RFC8314), > > so why the last bullet doesn't say just: "The SMTP server must > > advertise in the EHLO response that it supports REQUIRETLS"? > > It would not be logically consistent to offer REQUIRETLS in > a plaintext session, since it cannot be supported. I'd be > happy if the wording only required the TLS is active for > it to be advertised, so covering both STARTTLS and TLS-on-connect > usage.
That was my point. > The first bullet doesn't quite cover that as it is talking about > the REQUIRETLS option on the MAIL command. If the requirement > on the service extension advertising is sufficiently tight, it > would be enough to say "if the <extension> was not advertised > by the server, the client MAY NOT <use the option>". > > [ That is common for ESMTP service extensions; do we have to > say it? > ] I don't think it's necessary. The 3rd bullet has already said that the server must advertise REQUIRETLS for the client to use it. Just decouple it from STARTTLS, since the 1st bullet has already said that the session must be TLS protected (regardless of using STARTTLS or connecting to a an SMTP TLS port). Regards, Valery. > -- > Jeremy > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
