On Tuesday 23 January 2007 18:54, Dean Brooks wrote:
> On Tue, Jan 23, 2007 at 06:36:47PM +0100, Zbigniew Szalbot wrote:
> > I notice that quite a few hosts today try to start TSL session with my
> > server while I am trying to deliver mail to them (remote delivery not
> > smarthost service).
>
> Not sure why they would be advertising TLS to the outside world without
> some sort of auth first,
Offering TLS is a good idea if you want to accept PLAIN or LOGIN
authentication without forcing the users to send their passwords in the
clear.
> but its probably a good idea for you to set:
>
> hosts_avoid_tls = *
>
> on your remote SMTP transport. This will ensure that TLS isn't ever
> used on remote outbound deliveries, which can be somewhat resource
> intensive.
Although optimally all certificates would need to be verified, TLS without
verifying the other end still offers some protection against passive
eavesdropping. Whether it's worth the extra resources and how often a passive
attacker can't as well perform an active attack are other matters.
--
Magnus Holmgren holmgren@???
(No Cc of list mail needed, thanks)
"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans
