Re: Interop problem with SMTP STARTTLS and Cisco PIX firewall

[Michael Salmon <Michael.Salmon@xxxxxxxxxxxxxxx>]

+----- On Wed, 24 Mar 1999 23:47:55 PST, "Scott Roberts" writes:
| In your email below you state that the primary problems are that the Cisco
| PIX is not RFC compliant and that Exchange 5.5 advertises STARTTLS even if
| no certificate is configured.  I do not have PIX so I will not comment
| regarding the problems it might have. I would like to comment on your
| opinion that a server that has a problem with its certificate should not
| advertise STARTTLS.
| 
| If the SMTP Server is not configured with a certificate, or it has expired,
| or it is using an invalid certificate the TLS Client will STILL fail during
| the TLS negotiation. If the SMTP Server did not advertise STARTTLS, due to
| an invalid or absence of a certificate, the TLS Client might return the
| message to the sender stating that the server does not support TLS even
| though the server was configured to do so. If the SMTP Server, with no
| certificate, advertised STARTTLS the negotiation would fail but the TLS
| Client would be aware that the server supports TLS and attempt to send the
| message at a later time in hopes that the certificate issue will be
| resolved. The issue is not with the product itself but with our opinions on
| what is expected by the SMTP server when there is an issue with the
| certificate and if it should advertise STARTTLS or not.

It seems to me that the right thing to do is only advertise STARTTLS if 
you plan to support it sometime in the near future i.e.:

" Make sure there is at least a mode where STARTTLS is not advertised.  A
quality implementation will only advertise STARTTLS if a valid server cert
is correctly configured. "

Waiting for mail to time out in a queue isn't particularly useful to 
anyone.

/Michael