Chris Edwards wrote: > Many sites now have an elegant setup where submission happens on port > 465/587, where both TLS and AUTH are mandatory. Port 25 is used for > MTA->MTA traffic, hence no need for AUTH on port 25. > > However I'm noticing many such sites with the above setup who don't offer > TLS on port 25 of the MX servers. Is there a particular reason for this ? > > OK, for MTA->MTA traffic, there's normally no check of a certificate, so > no defence against man-in-the-middle attacks. But at least you get > "opportunistic encryption" of incoming mail, whereby the traffic is > scrambled over the wire, defending against a passive eavesdropper. > > Any obvious pitfalls in supporting TLS on port 25 of the MX servers ? > Are folk just turning it off to save CPU ?
I advertise TLS on my non submission ports here for a very different reason to those stated. I treat hosts that look like real mail servers differently. TLS is a very good indicator that the connecting host is a real mail server; not just another trojaned machine. I don't greylist real mail servers. MikeC2 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
