Hello. I am looking for clarification on RFC 5068 3.2 or any related/
updated/replaced RFC's. Outside of those, general best practice ideas
for moving forward would be appreciated.
In regards to AUTH on ports 25 and 587, I was under the impression we
should be trying to migrate all clients to 587 for AUTH when in
submission. Does this also mean best practice would be to close AUTH
on 25 in order to more aggressively pursue this?
What administrative plusses are there by doing so, if any. I would
think at the least, being able to disable 25 when under attack but
still allow users to sumbit would be one reason. Are there other
benefits?
Is there another RFC that addresses this? I'm being told that
disabling AUTH on 25 would be in violation of the above RFC, though
that is not how I read it.
In regards to opportunistic TLS, a quick telnet to 10 random MX's
shows STARTTLS after ehlo in about 50% of the cases. Disabled AUTH was
in 90%. Is there RFC for opportunistic TLS?
I'm running it now, but wonder what your experiences are. It's
certainly nice to see a 50% use rate, but I worry I may have delivery
problems. Is there general high reliability to this? Is there a way to
disable opportunistic TLS coming from specific senders if I do run
into problems?
I am looking to "do the right thing" moving forward, and want to be
sure I am not implementing bad internal policy as a result of
misunderstanding RFC and best practices for moving forward.
Thank you postfixers.
--
Scott
Iphone says hello.
