On Mon, Jan 09, 2012 at 09:03:23AM +0100, Ralf Hildebrandt wrote:
> Personally, I'd go for mandatory TLS between the two machines with no
> encryption
> (but compression) - I guess Victor will correct me, but I think
> that should work.
That would be fine provided the OpenSSL libraries on both sides
are built with zlib support. The bandwidth overhead of encryption
and integrity is rather low, and configuring eNULL ciphers is a
pain, so I'd just enable TLS (opportunistic is sufficient) and
compression will automatically kick in when both sides support it.
One should however avoid overly large certificates that can add a
lot of extra data to small messages (which are still the norm).
If TLS is enabled selectively just between two systems (not
opportunistically to all destinations), then if both systems
are Postfix, and the security level is "encrypt" or "may", no
bloated certificates will be exchanged.
--
Viktor.
