OT - TLS question

Mog lists at elasticmind.net
Tue Sep 29 13:35:10 IST 2009



Jason Ede wrote:
> [snip]
>   
>> That was sort of my original question - should I use TLS at all?
>>
>> The only harm is that they'll be on someone else's network broadcasting
>> their passwords. I think most sites set up a server just for this
>> "roaming" network traffic and use TLS as a SmartHost type setup. Our
>> manager decided we didn't need that extra hardware. It'd only matter to
>> people who had their clients set up to use TLS anyway. I know
>> Thunderbird defaults to "use it if they offer it", but not sure how
>> most
>> other clients do it.
>>
>> Anyway, thanks for the input.
>>
>> steve
>>     
>
> We moved to TLS as a requirement for all our outgoing email a year or so back using a proper SSL (didn't cost much at all) mainly to stop passwords being broadcast in the clear and to try and reduce the chance of a compromise. It hasn't caused many problems as we didn't enforce TLS for a while and gave our clients plenty of notification of moving to requiring TLS and then chased up those that didn't make the switch before enforcing the requirement. We have the luxury of having all our outgoing email going through different servers from our inbound email which makes life much easier.
>
> Jason 
>   

Personally I think yes, you should definitely provide support for TLS 
(we do on all our servers). I could be wrong, but I think that once 
activated it encrypts the remainder of the SMTP session, so both the 
user's credentials and the content of their mail is encrypted. Naturally 
not everyone will be using TLS when sending you email on port 25, so you 
probably don't want to be enforcing the use of TLS, but definitely make 
it available.

It's just the same as providing IMAPS and IMAP to cater for people who 
do and do not use SSL for their IMAP connections.

Mog


More information about the MailScanner mailing list