NHS email encryption
Dave Howe
ukcrypto at chiark.greenend.org.uk
Sun, 26 Aug 2007 17:31:31 +0100
Brian Morrison wrote:
> Are you suggesting that they don't then authenticate once the TLS is
> initialised? That seems rather bizarre, surely the correct way of
> doing this is to authenticate in all cases but refuse to do so from
> outside the trusted networks unless TLS or SSL is used to prevent the
> visibility of the base64 encoded AUTH strings?
No, I am saying that the EHLO response indicates that STARTTLS is
supported, but if you attempt to then use STARTTLS it doesn't actually
respond with the ssl sequence but a "not authorized" message. Our
mailserver did not then attempt to send mail unencrypted, but failed
back to the queue with an error. The "fix" from our end was to force the
mailserver to use HELO instead, which prevents the TLS attempt entirely.