oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Python standard library defaults to insecure TLS for mail protocols

From: nightmare.yeah27 () aceecat org
Date: Thu, 1 Feb 2024 09:45:36 -0800
On Thu, Feb 01, 2024 at 12:31:00PM +0100, Hanno Böck wrote:


Also relevant is RFC 8314, which contains guidelines for TLS
connections in email protocols [5]. ("MUAs MUST validate TLS server
certificates [...]") It targets client software, but I believe it is
reasonable to apply the same standards to client APIs.


Relaying *MTAs* do not usually verify the certificate of the server
they connect to. When they do, it creates problems because MTA
certificates are very often self-signed. IIRC Yahoo relays in
particular used to have this problem (or still do?)

It is true that MTAs are not usually written in Python :-) So maybe
the proposal is OK. But there's a general point to note here, namely
not all protocols are the same wrt TLS.

-- 
Ian
Previous By Date Next
Previous By Thread Next

Current thread: