> Well, spamd never actually tries to deliver mail. In a normal > scenario, the hosts that will talk to spamd are ones that have never > delivered mail to your site before (greylisting) or the ones we know > are trying to deliver spam (already blacklisted somewhere, greytrapped > etc). > > I suppose the day may come eventually when spammers will only try to > deliver if the other side announces TLS available, but we're certainly > not there yet. It's a lot more useful to keep it simple: set up your > real mail server with TLS and forget about complicating the path to > spamd. After all, it's only the whitelisted hosts that will actually > need a secure connection. > Doh! I had a bit of a homer moment from rushing things.
I'd even wrote most of the pf.conf and still didn't consider the rdr-to white rule. I read in the mailing list that spamd didn't work with starttls and didn't need to because it would fall back. I didn't look closely enough and missed the point about white listed being passed straight through. I was also thrown a bit by assuming (something I usually try my best not to do) that allowed domains applied to all connections, but it only applies to grey. Sorry for the noise and thanks for ironing me out. > Peter N. M. Hansteen, member of the first RFC 1149 implementation team Do you not think it would be better for mail servers to try ssl on one port and then plain on port 25 if a rst or timeout occurs. Then it would be harder for attackers to force falling back to plain and forcing only tls would be easier.
