OT - TLS question
campbell at cnpapers.com
Tue Sep 29 14:54:08 IST 2009
I was under the impression that once I added support for TLS, then it
was server-wide, and that most clients were set up as "use TLS if
available". It's not going to be a problem for our users, but all those
in the wild that send mail and get the pop-up might not know what it's for.
I use sendmail, so is there a way to have the server only use it on a
particular port and not another? I only want it on port 587, not port 25.
Thanks for the reply
> Jason Ede wrote:
>>> That was sort of my original question - should I use TLS at all?
>>> The only harm is that they'll be on someone else's network broadcasting
>>> their passwords. I think most sites set up a server just for this
>>> "roaming" network traffic and use TLS as a SmartHost type setup. Our
>>> manager decided we didn't need that extra hardware. It'd only matter to
>>> people who had their clients set up to use TLS anyway. I know
>>> Thunderbird defaults to "use it if they offer it", but not sure how
>>> other clients do it.
>>> Anyway, thanks for the input.
>> We moved to TLS as a requirement for all our outgoing email a year or
>> so back using a proper SSL (didn't cost much at all) mainly to stop
>> passwords being broadcast in the clear and to try and reduce the
>> chance of a compromise. It hasn't caused many problems as we didn't
>> enforce TLS for a while and gave our clients plenty of notification
>> of moving to requiring TLS and then chased up those that didn't make
>> the switch before enforcing the requirement. We have the luxury of
>> having all our outgoing email going through different servers from
>> our inbound email which makes life much easier.
> Personally I think yes, you should definitely provide support for TLS
> (we do on all our servers). I could be wrong, but I think that once
> activated it encrypts the remainder of the SMTP session, so both the
> user's credentials and the content of their mail is encrypted.
> Naturally not everyone will be using TLS when sending you email on
> port 25, so you probably don't want to be enforcing the use of TLS,
> but definitely make it available.
> It's just the same as providing IMAPS and IMAP to cater for people who
> do and do not use SSL for their IMAP connections.
More information about the MailScanner