On Wed, May 05, 2010 at 09:46:08AM +0100, Kevin Chadwick wrote: > Sorry, > > I maybe confused about the term for MTAs using ssl to deliver mail to > me. I just feel wrong using tls for delivering mail to other servers or > atleast a hop, without letting them do the same. Obviously the benefits > of spamd outweigh the tls. I was wondering about something like > relayd, nginx or stunnell in front of spamd but I think that I > would either break allowing plain connections or would have to provide > a way of bypassing relayd using submission and smtp ports, which I won't > do.
Are you caring about MUAs submitting email, or MTAs relaying email? If the former, use "submission" (RFC 4409, SMTP-AUTH required over the submission port, never goes near spamd. If you provide a mail server for client MUAs on networks such as AT&T's residential offerings, you need to provide this service anyways and educate your users). If the latter you have a few options. 0) Don't worry about it, let the sending MTA negotiate for TLS after spamd has whitelisted it. 1) Whitelist the SMTP servers you trust to actually do TLS. 2) Use the deprecated SSL/SMTP (aka SMTPS) port. Sorry, I don't know if relayd's SSL acceleration will help here. 3) Use a greylisting engine other than spamd that supports TLS and SMTP-AUTH (It would appear that spey and ITEISA can do that) 4) Patch spamd to handle TLS negotiation and SMTP-AUTH for immediate white listing. -- Chris Dukes
