This repository was archived by the owner on Nov 28, 2024. It is now read-only.
[SECURITY] Option to enforce STARTTLS #23
Closed
Description
Lines 98 to 105 in 1e5036a
This code only tries to upgrade to a TLS connection if the server reports that it supports the STARTTLS extension. If an attacker intercepts the SMTP connection and responds that the extension is unknown, then they can prevent TLS from being turned on.
It would be backwards incompatible to expect STARTTLS by default, but we can make an option that would enforce a STARTTLS connection.
Of course, if the connection is already protected by SSL, then STARTTLS is unnecessary.
Metadata
Metadata
Assignees
Labels
No labels