Re: [exim] Should MX offer TLS ?

Top Page
This message is part of the following thread:
M-+--\the complete thread tree sorted by date
M.M-\MDaniel Tiefnig at <-
M\M\MExim Mailing List at ->
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: Exim Mailing List
Subject: Re: [exim] Should MX offer TLS ?
Chris Edwards wrote:

> Many sites now have an elegant setup where submission happens on port
> 465/587, where both TLS and AUTH are mandatory. Port 25 is used for
> MTA->MTA traffic, hence no need for AUTH on port 25.
>
> However I'm noticing many such sites with the above setup who don't offer
> TLS on port 25 of the MX servers. Is there a particular reason for this ?
>
> OK, for MTA->MTA traffic, there's normally no check of a certificate, so
> no defence against man-in-the-middle attacks. But at least you get
> "opportunistic encryption" of incoming mail, whereby the traffic is
> scrambled over the wire, defending against a passive eavesdropper.
>
> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
> Are folk just turning it off to save CPU ?

I advertise TLS on my non submission ports here for a very different
reason to those stated. I treat hosts that look like real mail servers
differently. TLS is a very good indicator that the connecting host is a
real mail server; not just another trojaned machine. I don't greylist
real mail servers.

MikeC2

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] pipe & concurrent deliveriesRe: [exim] Exim RPM package->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)