23 Jun
2012
23 Jun
'12
6:12 a.m.
Terry Gardner wrote:
can the server be configured to reject all requests on that exception except for the StartTLS extended request in order to prevent clients from transmitting data in the clear?
Watch out for configuration directives 'security' and 'sasl-secprops'. You might want to set TLSCipherSuite to avoid that a client uses a weak cipher or crypto protocol.
But strictly speaking nothing prevents a misconfigured client to send clear-text credentials over the wire. Rejecting processing them only gives a strong hint that this is not the desired behaviour...
Ciao, Michael.