On 12/13/2012 1:51 AM, Reindl Harald wrote: > > > Am 13.12.2012 07:26, schrieb Stan Hoeppner: >> On 12/12/2012 6:05 PM, Tony Nelson wrote: >> >>> I think it's in my best interest to get TLS operational again. >> >> So, you encrypt the transmission from the internal corporate groupware >> server to the gateway server via a private network that you completely >> control. But then you relay the same message over the public internet >> in plain text. >> >> There seems to be a flaw in your logic, in your threat assessment. Your >> stated posture makes it seem you are more worried about malicious packet >> sniffing inside your perimeter than outside > > which is reality in the real life > > there is MUCH more danger that someone connects to your > LAN than somebody is able to do the same at ISP level
In order to sniff the SMTP traffic from the Exchange server to the Postfix server, someone "on the LAN", as you put it, would first need to gain admin access to one of the switches or segment routers, then clone one of the two ports, then sniff the traffic. Or clone the traffic on an ISL, assuming the two servers are not on the same switch. In a well managed network with strong authentication on network devices, I find this scenario extremely unlikely. However, this is a tangential argument. The point of my post is that if one isn't doing TLS (opportunistic or full time) between the gateway and remote MX hosts, then using TLS between the Exchange sever and gateway is irrelevant and unnecessary. -- Stan
