[exim] Should MX offer TLS ?

Top Page
This message is part of the following thread:
M-+--\the complete thread tree sorted by date
M.M-\M 
M\M\MBrent Jones at ->
Delete this message
Reply to this message
Author: Chris Edwards
Date:  
To: exim-users
Subject: [exim] Should MX offer TLS ?
Hi,

Many sites now have an elegant setup where submission happens on port
465/587, where both TLS and AUTH are mandatory. Port 25 is used for
MTA->MTA traffic, hence no need for AUTH on port 25.

However I'm noticing many such sites with the above setup who don't offer
TLS on port 25 of the MX servers. Is there a particular reason for this ?

OK, for MTA->MTA traffic, there's normally no check of a certificate, so
no defence against man-in-the-middle attacks. But at least you get
"opportunistic encryption" of incoming mail, whereby the traffic is
scrambled over the wire, defending against a passive eavesdropper.

Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
Are folk just turning it off to save CPU ?

Thanks for any clue.

Chris

--
Chris Edwards, Glasgow University Computing Service

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Blocking Users with No Reverse DNSRe: [exim] Should MX offer TLS ?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)