Kevin, RFC2487 is telling us that SMTP over TLS can protect their communications from eavesdroppers and attacks. I understand that as an encrypted communication, no?
Why would usernames and passwords be sent on a SMTP connection? I don't quite understand what you tried to explain.... gd -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: October 25, 2006 2:47 PM To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy Subject: Re: [Assp-user] SSL/TLS proxy Guy Deslauriers wrote: > Tim, James, > > Did you guys check the percentage of spam VS legitimate mail using TLS? > > I had an issue with ASSP and TLS when I originally launched ASSP about a > month ago, so I deactivated it to investigate the TLS necessity. I was > quite surprised to find out that about 90% (if not 95%) of the SMTP over TLS > connection to my mail server was used by spammers.... > > Since then, I disabled TLS and reactivated ASSP. For me SMTP over TLS is > TOTALLY useless.... > > I suggested to my users to use something like PGP or the likes if they want > their emails encrypted. > TLS is not about encrypting the email message it is for encrypting the connection between the server and client and thus preventing their user-name and password from being sent over an unencrypted connection. Once the message is on the server or is sent by the server to another server there is no encryption unless is is setup in advance between the sending and receiving server. Also email stored on disk is not encrypted in any way unless you use something like PGP as you stated. As for the spammers using the TLS, I can't comment. My users submit on a server that is not one of my MX servers and thus no spammers (aside from random port scanners) use it. Changing the SMTP submit port to 587 (as per rfc2476 Section 3.1) for your clients and using SSL/TLS on that would allow all Internet mail to be scanned by ASSP and by routing outgoing email through ASSP would allow it to work as it should. Only internal email is not seen by ASSP. Kevin ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
