On 22.08.2017 03:56, Peter wrote:
Lest anyone think STARTTLS MITM doesn't happen,
https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-comm... Right, the attack does happen, but it can be prevented by properly configuring the server and client. Dovecot, by default, requires STARTTLS before accepting plaintext authentication when SSL is configured and you are not connecting from localhost. You can verify this by telnetting to port 143 from somewhere else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you have enabled something like cram-md5.
I think postfix, by default, will also prevent authentication without transport security.
Also, you should probably using 587/tcp (submission) for sending mail, instead of 25. Some reputable ISPs prevent connecting to random MX servers to port 25 to make life harder for spambots.
Aki