On Wed, Nov 07, 2007 at 12:12:48AM +0000, Chris Edwards wrote: > However I'm noticing many such sites with the above setup who don't offer > TLS on port 25 of the MX servers. Is there a particular reason for this ? > > Any obvious pitfalls in supporting TLS on port 25 of the MX servers ? > Are folk just turning it off to save CPU ?
I think most MTA operators, including myself, use TLS only for the encryption of SMTP auth password information. The fact that the message payload is also encrypted for submission agents is just a bonus. There really isn't any advantage to encrypting MX submissions. Most messages have spent much of their life unencrypted the entire way anyway, so encrypting just one leg gains you *no* level of security. CPU considerations are also there, sure. But mostly, I try and avoid SSL in any application except where necessary. Debugging certificate problems is already a chore. I can't imagine trying to resolve the myriad of encryption issues that would arise with thousands of TLS connections per hour from all over the world. As such, I use "hosts_avoid_tls = *" on all my remote SMTP transports for outbound traffic, and I have set "tls_advertise_hosts" global option to only advertise if the incoming port is 587 or if customer is submitting to one of our special submission-only addresses. -- Dean Brooks [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
