Autor: Kjetil Torgrim Homme Data: Dla: Bill Hacker CC: exim Temat: Re: [exim] Setup for authenticated submission
On Wed, 2006-01-18 at 22:53 +0800, Bill Hacker wrote: > Kjetil Torgrim Homme wrote:
> > there is NO good reason to use tls_on_connect on port 587. this will
> > only cause interoperability woes. > > [...] an MTA set up to use port 587, ostensibly for security
> > purposes! luckily we had put in a check for this and deny
> > unauthenticated sending on ports other than 25 (we support 465 and 587
> > as MSA).
>
> You just disproved your own first point, above, in showing that the
> 'interoperability woes' issue can contribute to preventing unexpected
> abuse, at the very least by caling attention to it.
uh. this doesn't make any sense. port 587 is to be used to
authenticated SMTP. it should start out unencrypted. what happens
after initial EHLO handshake will depend on negotiations between server
and client. it is NOT required to use STARTTLS, many prefer to use
CRAM-MD5 or similar schemes which aren't vulnerable to sniffing.
> Our use of 587 fits precisely our setup for specific-client MUA's. And
> no others.
>
> Not proselytizing, but 'standards' apply to the part we do NOT control
> (our MTA-MTA environment is very much more gracious).
yes, your system, your rules. if you want to make configuration harder
for your clients, feel free. but it is bad advice to pass out to
others.