Patrick Lists schreef op 2013-09-12 09:23:
Hi Noel,
On 09/12/2013 08:54 AM, Noel Butler wrote: [snip]
I'm always of the belief that if one person wants a feature, they might be the only vocal person, but they are never really alone, so post your patch, Timo can only either pull it in, or decline it, as for its useful for others, only time will tell, but not even god will help those who use it on a commercial network with paying customers - thats just plain professional suicide.
Unless it was clearly stated what the requirements are when they sign up. With NIST sleeping at the helm and the NSA having a field day it would not surprise me if businesses understand the importance of stronger encryption.
Why not turn it around? Why not tell the paying customer he is using an unencrypted connection or with options that are insecure. Parse the logfiles and make an additional section on the website where he/she can see from where he/she had a successful login and the security level? Make it red for unencrypted, orange/amber for insecure and green for a "secure" connection. Most people like to have everything in the green and you give them a choice what to do. Also the cost is almost nothing for doing this. You could even make it a service for companies who get a weekly/monthly PDF with an overview.
For now only Dovecot tells if it is a TLS-connection or not. Postfix for example already tells if it is TLSv1 connection and the cipher. If this could be extended then sysadmins have a way to make a decision about the path to follow or to advise to management.
Hans