Re: Advice on MTA blacklist

On Tue, 9 Oct 2007, Jo Rhett wrote:

> On Oct 9, 2007, at 4:22 PM, Chris Edwards wrote:
> > Your server then enforces encryption and SMTP-AUTH, and the SSL will
> > (hopefully) defeat any man-in-the-middle attacks by trans-proxies.
>
> That's exactly the problem I am reporting. A lot of mail clients
> don't enforce SSL connections, so man in the middle is silently
> accepted. Only T-bird can be configured to not work any other way,
> TTBOMK.
Jo you didn't read Chris's statement closely. A conscientious mail server administrator will configure the SERVER to -ONLY- accept encrypted connections for SMTP-AUTH transactions; the server should enforce the encryption requirements.
Thus it does not matter what the client wants to do, the server should not let the client continue the SMTP-AUTH transaction until it has completed the STARTTLS operation (or in the case of SMTPS, it's already encrypted).

Back to Skip's question, possibly the easiest way to solve his problem would be to run two SMTP servers, one on port 25 with full spam/AV scanning for regular mail traffic, one on ports 587 & 645 with SMTP-AUTH/TLS for his users' clients to submit messages, on that one have AV scanning and possibly limited spam scanning.

-- 
Dave Funk                                  University of Iowa
        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{