[exim] Should MX offer TLS ?

Top Page
Delete this message
Reply to this message
Author: Chris Edwards
Date:  
To: exim-users
Subject: [exim] Should MX offer TLS ?
Hi,

Many sites now have an elegant setup where submission happens on port
465/587, where both TLS and AUTH are mandatory. Port 25 is used for
MTA->MTA traffic, hence no need for AUTH on port 25.

However I'm noticing many such sites with the above setup who don't offer
TLS on port 25 of the MX servers. Is there a particular reason for this ?

OK, for MTA->MTA traffic, there's normally no check of a certificate, so
no defence against man-in-the-middle attacks. But at least you get
"opportunistic encryption" of incoming mail, whereby the traffic is
scrambled over the wire, defending against a passive eavesdropper.

Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
Are folk just turning it off to save CPU ?

Thanks for any clue.

Chris

--
Chris Edwards, Glasgow University Computing Service