Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <r2yfkmeszb5nz37jepgatysvm3ajua3kwte72sfzdicffh5vze@oizk252b5l77>
Date: Thu, 1 Feb 2024 09:45:36 -0800
From: nightmare.yeah27@...ecat.org
To: oss-security@...ts.openwall.com
Subject: Re: Python standard library defaults to insecure TLS for mail
 protocols

On Thu, Feb 01, 2024 at 12:31:00PM +0100, Hanno Böck wrote:

> Also relevant is RFC 8314, which contains guidelines for TLS
> connections in email protocols [5]. ("MUAs MUST validate TLS server
> certificates [...]") It targets client software, but I believe it is
> reasonable to apply the same standards to client APIs.

Relaying *MTAs* do not usually verify the certificate of the server
they connect to. When they do, it creates problems because MTA
certificates are very often self-signed. IIRC Yahoo relays in
particular used to have this problem (or still do?)

It is true that MTAs are not usually written in Python :-) So maybe
the proposal is OK. But there's a general point to note here, namely
not all protocols are the same wrt TLS.

-- 
Ian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.