Jake Vickers wrote, at 10/08/2008 10:49 AM: > Are there good reasons to NOT use TLS on port 25? (ie: in master.cf: -o > smtpd_use_tls=no) > Curious as to if it breaks things for certain clients or something.
There's a good reason not to *require* STARTTLS on port 25, if you want to allow connections from client MTAs that don't do TLS. I configure opportunistic TLS at the global level in main.cf: smtp_tls_security_level = may But I require it for the submission service in master.cf: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Note that smtpd_use_tls and smtpd_enforce_tls have been obsoleted by smtpd_tls_security_level: http://www.postfix.org/postconf.5.html#smtpd_tls_security_level There are probably cases where specialized servers handle high traffic mail that doesn't require encryption, in order to reduce the computational overhead and stretch the hardware dollar. Personally, I think there's a strong case for enforcing encryption, which could offer some relief from spambots (albeit temporary, until they catch up and add TLS functionality). Unfortunately, this is currently not feasible if you want to receive mail.
