Quoting Chris Edwards <[EMAIL PROTECTED]>: > Hi, > > Many sites now have an elegant setup where submission happens on port > 465/587, where both TLS and AUTH are mandatory. Port 25 is used for > MTA->MTA traffic, hence no need for AUTH on port 25. > > However I'm noticing many such sites with the above setup who don't offer > TLS on port 25 of the MX servers. Is there a particular reason for this ? > > OK, for MTA->MTA traffic, there's normally no check of a certificate, so > no defence against man-in-the-middle attacks. But at least you get > "opportunistic encryption" of incoming mail, whereby the traffic is > scrambled over the wire, defending against a passive eavesdropper. > > Any obvious pitfalls in supporting TLS on port 25 of the MX servers ? > Are folk just turning it off to save CPU ? > > Thanks for any clue. > > Chris > > -- > Chris Edwards, Glasgow University Computing Service > > -- > ## List details at http://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ >
TLS can add a bit of overhead, true. But there is also the fact that many MTA's don't advertise/use TLS by default on port 25 (Exchange comes to mind). It could be argued that there aren't expectations of privacy or security with e-mail, that why would you send sensitive data when there are more suitable protocols for secure data transmission. There is nothing inherently wrong with advertising TLS on port 25 though, should the other server negotiate with you to use it. Regards, Brent Jones brent [at] servuhome [dot] net ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
