Description: ------------ Please add option to specify that TLS is required so that if the server does not support STARTTLS mail client will not continue with an unsecure connection. Opportunistic TLS aka STARTTLS Weaknesses and Mitigations https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations "STRIPTLS attacks can be blocked by configuring SMTP clients to require TLS for outgoing connections (for example, the Exim Message transfer agent can require TLS via the directive "hosts_require_tls" [12])." I've done this crudely with a few modifications to the Mail_smtp and Net_smtp classes. But I'm sure someone who knows PEAR::Mail inside and out can do it much better. Basically what I did was to add a 'require_tls' var to the Mail_smtp and Net_smtp classes. And defaulted it to true. Then added a test for 'require_tls' in the auth function. /* Or if TLS is required and aren't already connected over a secure * (SSL) socket connection. */ if (($tls && version_compare(PHP_VERSION, '5.1.0', '>=') && extension_loaded('openssl') && isset($this->esmtp['STARTTLS']) && strncasecmp($this->host, 'ssl://', 6) !== 0 ) || $this->require_tls && strncasecmp($this->host, 'ssl://', 6) !== 0 ) { /* Start the TLS connection attempt. */ Thanks

Added patch STARTTLS_Require_TLS.

Vulnerability to STRIP TLS Attack is a security bug. Not a feature/change request.