Author: Marc Sherman Date: To: Exim Users Subject: [exim] Why is STARTTLS preferred over tls_on_connect_ports?
After writing the answer to Guy De Leeuw's question about TLS, I got to
thinking; why is STARTTLS after connection on ports 25/587 preferred to
tls_on_connect_ports on port 465? I know that the latter was only
implemented recently, and previously it required a seperate daemon
running with a command line switch, but the emails discussing that
implied that implementing tls_on_connect_ports wasn't just a pain, it
was distasteful and wrong as well. What's the reasoning behind that?
It seems to me that with tls_on_connect_ports, you get a slightly* more
secure session, because the HELO/EHLO doesn't travel in the clear,
reducing the info available for traffic analysis by an attacker.