Re: [exim] Should MX offer TLS ?

Top Page
Delete this message
Reply to this message
Author: Brent Jones
Date:  
To: exim-users
Subject: Re: [exim] Should MX offer TLS ?

Quoting Chris Edwards <chris@???>:

> Hi,
>
> Many sites now have an elegant setup where submission happens on port
> 465/587, where both TLS and AUTH are mandatory. Port 25 is used for
> MTA->MTA traffic, hence no need for AUTH on port 25.
>
> However I'm noticing many such sites with the above setup who don't offer
> TLS on port 25 of the MX servers. Is there a particular reason for this ?
>
> OK, for MTA->MTA traffic, there's normally no check of a certificate, so
> no defence against man-in-the-middle attacks. But at least you get
> "opportunistic encryption" of incoming mail, whereby the traffic is
> scrambled over the wire, defending against a passive eavesdropper.
>
> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
> Are folk just turning it off to save CPU ?
>
> Thanks for any clue.
>
> Chris
>
> --
> Chris Edwards, Glasgow University Computing Service
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



TLS can add a bit of overhead, true. But there is also the fact that
many MTA's don't advertise/use TLS by default on port 25 (Exchange
comes to mind).
It could be argued that there aren't expectations of privacy or
security with e-mail, that why would you send sensitive data when
there are more suitable protocols for secure data transmission.
There is nothing inherently wrong with advertising TLS on port 25
though, should the other server negotiate with you to use it.

Regards,

Brent Jones
brent [at] servuhome [dot] net



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.