Re: [Exim] SMTP

On Wed, 30 Jun 2004, Tony Finch wrote:

> Do I gather that you are only doing submission on port 25, and that you
> are not offering TLS and AUTH for connections from your internal network,

yes, and yes

> and that you require MUAs to have their TLS switch at the "optional"
> setting?

Effectively, yes. PINE needs to be configured with two mail server
configurations, with the TLS+AUTH one first and the plain one second.

When used remotely, the first configuration succeeds. When used
locally, the first configuration fails, and the second one is used
instead. (This can't be done the other way around - as I suppose is
obvious.)

> This is very unwise, because it means that your users will not realise if
> their MUA is not connecting to your server in the case of a port 25
> interceptor, because it will silently degrade to plain SMTP.

Indeed we have found that sometimes happens, as in the case of the OS
X issue that I described.

> This can lead to email being silently lost.

I would rate that as a client shortcoming, if it happens. But yes,
one must live with the clients that are out there, I suppose.

> If you're going to use TLS and AUTH you
> should configure the MUA to require them all the time.

Thanks for the advice. It's clear that our method is not entirely
trouble-free, as I tried to make clear in the initial response. But
it seemed successful enough to be worth describing. Suggestions for
improvement are always welcome ;-)

> > Some folks will tell you that mail submission protocol is a preferable
> > solution to this requirement than authenticated SMTP. Maybe we should
> > look at that too.
>
> Definitely. It makes message submission much more reliable, and it allows
> users to have a single configuration that works anywhere. You will need to
> support both tls-on-connect on port 465 as well as standard submission on
> port 587 in order to support all the clients out there.

cheers