[Ach] SMTP client mode ciphers

Wolfgang Breyha wolfgang.breyha at univie.ac.at
Tue Nov 19 12:55:32 CET 2013


christian mock wrote, on 19.11.2013 12:10:
> So we definitely should recommend:
> - no auth on 25
> - strong ciphers, auth on 587
> - make sure your mail server can be configured to not offer auth until
>   after STARTTLS

I started a "SMTP in general" chapter yesterday night, but didn't finish it
for a final push. I tried to describe the three modes we discussed and what
the recommended steps are to get a decent configuration for every mode.

I would also recommend to separate MSA from MX at least by listening on
different IPs. That's way better than "no auth on 25" since most MUAs still
use that as default, since most servers still don't offer port 587. *sigh*
And it gives way better options to filter spam differently, too.

If that's not possible your list looks fine, but I think it's pretty difficult
or impossible to configure some parts in certain MTAs. It is possible with
Exim, but not an easy task.

The problem I see is that the SMTP chapter will get rather large and complex
compared to every other topic. Don't know if this is intended.

Unfortunately I can't continue writing this chapter until Thursday evening.

Wolfgang Breyha <wolfgang.breyha at univie.ac.at> | http://zid.univie.ac.at/
Vienna University Computer Center              | Austria

More information about the Ach mailing list