OT - TLS question

Steve Campbell campbell at cnpapers.com
Tue Sep 29 14:54:08 IST 2009 

I was under the impression that once I added support for TLS, then it 
was server-wide, and that most clients were set up as "use TLS if 
available". It's not going to be a problem for our users, but all those 
in the wild that send mail and get the pop-up might not know what it's for.

I use sendmail, so is there a way to have the server only use it on a 
particular port and not another? I only want it on port 587, not port 25.

Thanks for the reply

steve

Mog wrote:
>
>
> Jason Ede wrote:
>> [snip]
>>  
>>> That was sort of my original question - should I use TLS at all?
>>>
>>> The only harm is that they'll be on someone else's network broadcasting
>>> their passwords. I think most sites set up a server just for this
>>> "roaming" network traffic and use TLS as a SmartHost type setup. Our
>>> manager decided we didn't need that extra hardware. It'd only matter to
>>> people who had their clients set up to use TLS anyway. I know
>>> Thunderbird defaults to "use it if they offer it", but not sure how
>>> most
>>> other clients do it.
>>>
>>> Anyway, thanks for the input.
>>>
>>> steve
>>>     
>>
>> We moved to TLS as a requirement for all our outgoing email a year or 
>> so back using a proper SSL (didn't cost much at all) mainly to stop 
>> passwords being broadcast in the clear and to try and reduce the 
>> chance of a compromise. It hasn't caused many problems as we didn't 
>> enforce TLS for a while and gave our clients plenty of notification 
>> of moving to requiring TLS and then chased up those that didn't make 
>> the switch before enforcing the requirement. We have the luxury of 
>> having all our outgoing email going through different servers from 
>> our inbound email which makes life much easier.
>>
>> Jason   
>
> Personally I think yes, you should definitely provide support for TLS 
> (we do on all our servers). I could be wrong, but I think that once 
> activated it encrypts the remainder of the SMTP session, so both the 
> user's credentials and the content of their mail is encrypted. 
> Naturally not everyone will be using TLS when sending you email on 
> port 25, so you probably don't want to be enforcing the use of TLS, 
> but definitely make it available.
>
> It's just the same as providing IMAPS and IMAP to cater for people who 
> do and do not use SSL for their IMAP connections.
>
> Mog

More information about the MailScanner mailing list