Author: Exim Mailing List Date: To: exim-users Subject: Re: [exim] Should MX offer TLS ?
On Wed, Nov 07, 2007 at 12:12:48AM +0000, Chris Edwards wrote:
> However I'm noticing many such sites with the above setup who don't offer
> TLS on port 25 of the MX servers. Is there a particular reason for this ?
>
> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
> Are folk just turning it off to save CPU ?
I think most MTA operators, including myself, use TLS only for
the encryption of SMTP auth password information. The fact that the
message payload is also encrypted for submission agents is just a bonus.
There really isn't any advantage to encrypting MX submissions. Most
messages have spent much of their life unencrypted the entire way
anyway, so encrypting just one leg gains you *no* level of security.
CPU considerations are also there, sure. But mostly, I try and
avoid SSL in any application except where necessary. Debugging
certificate problems is already a chore. I can't imagine trying
to resolve the myriad of encryption issues that would arise with
thousands of TLS connections per hour from all over the world.
As such, I use "hosts_avoid_tls = *" on all my remote SMTP transports
for outbound traffic, and I have set "tls_advertise_hosts" global
option to only advertise if the incoming port is 587 or if customer
is submitting to one of our special submission-only addresses.