We've had an authenticated mail system for university staff and students
for two years now. For various reasons it was never widely advertised but
people have found about it anyway and is now quite popular, especially
with laptop users and people who work from home and abroad.
> We are doing TLS and in fact we only advertise auth-smtp at the second
> ehlo after the user has switched to tls. There is no circumstance we
> would want users using authenticated smtp over an insecure connection.
We had to support Pegasus which until recently didn't support SSL so
ours can have unencrypted connections. It makes little difference because
our POP servers don't have SSL in any form.
We strongly encourage the use of encryption obviously.
> We are figuring on using port 465 rather than 25 for this. Laptop users
> who use the same machine at home and on campus should work in either
> situation.
>
> Are there any gotchas here ?
Yes, Outlook doesn't support STARTTLS on any port other than 25. This
applies with Outlook Express and 2000 in all cases
(
http://support.microsoft.com/default.aspx?scid=kb;en-us;307772) and with
Outlook 2002 and, I think, 2003 after 'a while'. We've recently made some
changes and encouraged people to use port 587 with TLS - things went wrong
because I didn't know about the above until too late. Outlook 2002 works for
a while with TLS on 587 but then seems to just stop working. Outlook 2003
seems to work better but I've still had a couple of cases of people
reporting it stopping working. In the end I had to reverse the decision and
advise the use of port 25 again just for Outlook. The aim had been to get
around ISPs who do port 25 transparent proxying and mailhubbing. These ISPs
are in a minority though. However it does leave some people in a bind -
Outlook users can't use SSL on anything other than 25 and their ISP prevents
it on port 25. Rock and hard place.
We could try to implement stunnel but that would cause too much disruption
to an already disrupted service.
Also Norton AV and Norton Internet Security need reconfiguring to work
with any encryption (they proxy connections and can't handle SSL) no matter
what port. Many Windows machines seem to come preinstalled with Norton AV
these days.
See
http://www.mc.man.ac.uk/securemail/problems.php?style=default for
general problems we've seen and advise on.
A general problem with Outlook/Windows seems to be IP caching. We
had two machines on round robin DNS which worked but if one went down
Outlook users reported mail failures. Even with a TTL of 1s some people were
still trying to use the same downed IP a week later. Thus we've gone for a
hardware load balancer which works quite nicely.
I was recently at a conference which blocked both port 25 and 587 but left
465 open. First time I'd come across port 587 blocking.
Mike
--
-----Plain text only please - attachments stripped on arrival.------
Copyright 2004 Mike Richardson, Room G98, Manchester Computing
University of Manchester, M13 9PL doctor@??? Int: 56009
Left through main doors. Right then left at end of corridor.
First door on left. URL http://kira.mcc.ac.uk/ Ext: 0161 275 6009
--------------------------------------------------------------------
"If I want your opinion, I'll **** it out of you!" - Chuck Norris
"If anything happens to my daughter I have a ** and ******" Clueless
