15 Apr
2020
15 Apr
'20
1:51 a.m.
- Jean-Daniel:
One rational for this is to make sure broken clients don’t send clear text credential on port 143, even if STARTTLS is required.
If clients are broken, they can send clear text credentials to any port and a network sniffer could record the content. Heck, one can do stupid things with "netcat" if one really wants to.
The decision to allow STARTTLS or not depends on the clients that need to connect. As long as the protocol is followed, the difference in terms of security is negligible.
-Ralph