Re: Opportunistic TLS on mail servers

[Gustavo Castro <gcastrop () gmail com>]

Steve:

  I use STARTTLS (a.k.a. opportunistic TLS) on SMTP (ports 25 and
587(forced, not opportunistic)) and IMAP, and SMTPS (SMTP over SSL),
but users don't use it too much anyway. Some client programs claims to
use SSL but don't specify if they use pure SSL transport or STARTTLS
(that's the case with the Palm Versamail, that uses STARTTLS only), so
that can be an issue for you.
  The only real problem I've faced was that some servers, when
connected as clients, didn't handle well the protocol negotiation and
fail, but this is quite visible on the logs, and quite rare (only two
times on 5 years, over 22 SMTP servers I manage). No other issues have
risen out of that.
  Hope it helps you.

2009/3/12  <steve.dake () gmail com>:
> I am curious as to how may people have their email servers configured to perform opportunistic TLS? It seems like a 
> cheap way to mitigate a good portion of your potential email information leakage. If you are against it, I would like 
> to know why. If you have used it for a while, have you had any issues?
>
> Just interested in what everyone has to say about the topic.
>
> Article:
> http://securityn00dle.blogspot.com/



-- 
Saludos,
     Gustavo Castro Puig.
     E-Mail: gcastrop () gmail com

LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342