Author: Steffen Heil Date: To: exim-users Subject: Re: [exim] Using TLS to encrypt SMTP traffic...
Hi
> >> Typical settings include:
> >>
> >> daemon_smtp_ports = 25 : 465 : 587
> >
> > Typical clients use START_TLS on port 25, but tls-on-connect on 465
> > (what about 587?). So with the above setting I'd strongly recommend
> >
> > tls_on_connect_ports = 465
>
> Please ignore everything Bill says about port 465. He
> continues to advise people to ignore established norms and
> standards, without warning.
I hope I missunderstand, but otherwise that comment is garbage.
In spite of the fact that it may be agains standards now I also suggest:
25 is for inter-MTA smtp traffic. (explicit tls optionally, usually no auth)
587 is for "good" MUA to MTA traffic. (explicit tls prefered, only auth)
465 is for "bad" MUA to MTA traffic. (implicit ssl forced, only auth)
There are still clients wich don't do STARTTLS but only implicitSSL.
Some versions of Outlook for example.
If you configure this server only for yourself, drop port 465 completely.
However, if you need to support clients with somehow broken smtp/ssl
implementations, you have no chance to do otherwise.
I cannot afford to drop that many customers, maybe you can...