Re: [exim] Should MX offer TLS ?

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: Exim Mailing List
Subject: Re: [exim] Should MX offer TLS ?
Chris Edwards wrote:

> Many sites now have an elegant setup where submission happens on port
> 465/587, where both TLS and AUTH are mandatory. Port 25 is used for
> MTA->MTA traffic, hence no need for AUTH on port 25.
>
> However I'm noticing many such sites with the above setup who don't offer
> TLS on port 25 of the MX servers. Is there a particular reason for this ?
>
> OK, for MTA->MTA traffic, there's normally no check of a certificate, so
> no defence against man-in-the-middle attacks. But at least you get
> "opportunistic encryption" of incoming mail, whereby the traffic is
> scrambled over the wire, defending against a passive eavesdropper.
>
> Any obvious pitfalls in supporting TLS on port 25 of the MX servers ?
> Are folk just turning it off to save CPU ?


I advertise TLS on my non submission ports here for a very different
reason to those stated. I treat hosts that look like real mail servers
differently. TLS is a very good indicator that the connecting host is a
real mail server; not just another trojaned machine. I don't greylist
real mail servers.

MikeC2