On Wed, May 05, 2010 at 07:27:46PM +0100, Kevin Chadwick wrote: > Of course, if it's your mail server and clients you can use ips without > dns have certficates tied to those ips and even block or monitor resets, > none of which can be done with starttls and it is also a smaller window > of opportunity. You can always reset the starttls too and man in the > middle that, just one less opportunity. >
If it's your mail server and clients you can just force certificate checking on the hosts you want to connect to with tls. Using a different port adds no cryptographic security (authentication) at all, so it's useless complexity.