Autor: Bill Hacker Data: A: exim Assumpte: Re: [exim] Setup for authenticated submission
Kjetil Torgrim Homme wrote:
> On Wed, 2006-01-18 at 18:00 +0800, Bill Hacker wrote:
>
>>tls_on_connect_ports = 465 : 587 <IF and ONLY IF using old-style SSL
>>instead of STARTTLS. MUA-dependent>
>
>
> there is NO good reason to use tls_on_connect on port 587. this will
> only cause interoperability woes.
See below.
>
>
>>Note that this does not *prevent* an MUA from connecting on port 25, nor
>>force it to use SSL/TLS if it does so.
>
>
> or vice versa for MTA's connecting to 587.
Not so!
Aside from matching the protocol, they would have to be able to
authenticate with
port-specific SQL-DB stored multi-part UID's and passwords that do not
resemble
local_part@domain, nor are they the same UID/PWD's used for webmail, POP
or IMAP.
> we actually experienced that
> yesterday, an MTA set up to use port 587, ostensibly for security
> purposes! luckily we had put in a check for this and deny
> unauthenticated sending on ports other than 25 (we support 465 and 587
> as MSA).
>
You just disproved your own first point, above, in showing that the
'interoperability woes' issue can contribute to preventing unexpected
abuse, at the very least by caling attention to it.
Our use of 587 fits precisely our setup for specific-client MUA's. And
no others.
Not proselytizing, but 'standards' apply to the part we do NOT control
(our MTA-MTA environment is very much more gracious).
w/r MUA's, OTOH, its 'our servers, our rules'. And even 'Our chosen MUA's'.
But we do only bespoke, corporate mx, some with as few as half-a-dozen
accounts, not public/all-comers ISP/ASP services, so, as said, a
"luxury". ;-)