OT - TLS question

Tue Sep 29 15:09:25 IST 2009

Thats all configurable (what isn't in sendmail)...

Something like this should do it but read the cf documentation and use google! You may need other options so test this carefully with your setup

FEATURE(`no_default_msa')
DAEMON_OPTIONS(`Name=tls,Port=587, Modifiers=s')
DAEMON_OPTIONS(`Name=mta,Port=25')

Hope that helps you find out what you need to do

Gary

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell
Sent: 29 September 2009 14:54
To: MailScanner discussion
Subject: Re: OT - TLS question

I was under the impression that once I added support for TLS, then it 
was server-wide, and that most clients were set up as "use TLS if 
available". It's not going to be a problem for our users, but all those 
in the wild that send mail and get the pop-up might not know what it's for.

I use sendmail, so is there a way to have the server only use it on a 
particular port and not another? I only want it on port 587, not port 25.

Thanks for the reply

steve

Mog wrote:
>
>
> Jason Ede wrote:
>> [snip]
>>  
>>> That was sort of my original question - should I use TLS at all?
>>>
>>> The only harm is that they'll be on someone else's network broadcasting
>>> their passwords. I think most sites set up a server just for this
>>> "roaming" network traffic and use TLS as a SmartHost type setup. Our
>>> manager decided we didn't need that extra hardware. It'd only matter to
>>> people who had their clients set up to use TLS anyway. I know
>>> Thunderbird defaults to "use it if they offer it", but not sure how
>>> most
>>> other clients do it.
>>>
>>> Anyway, thanks for the input.
>>>
>>> steve
>>>     
>>
>> We moved to TLS as a requirement for all our outgoing email a year or 
>> so back using a proper SSL (didn't cost much at all) mainly to stop 
>> passwords being broadcast in the clear and to try and reduce the 
>> chance of a compromise. It hasn't caused many problems as we didn't 
>> enforce TLS for a while and gave our clients plenty of notification 
>> of moving to requiring TLS and then chased up those that didn't make 
>> the switch before enforcing the requirement. We have the luxury of 
>> having all our outgoing email going through different servers from 
>> our inbound email which makes life much easier.
>>
>> Jason   
>
> Personally I think yes, you should definitely provide support for TLS 
> (we do on all our servers). I could be wrong, but I think that once 
> activated it encrypts the remainder of the SMTP session, so both the 
> user's credentials and the content of their mail is encrypted. 
> Naturally not everyone will be using TLS when sending you email on 
> port 25, so you probably don't want to be enforcing the use of TLS, 
> but definitely make it available.
>
> It's just the same as providing IMAPS and IMAP to cater for people who 
> do and do not use SSL for their IMAP connections.
>
> Mog

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 