Re: SMTP And TLS

On 30 May, 18:34, "Sanford Whiteman" <swhitemanlistens-
softw...@xxxxxxxxxxxxxxxxxxxxx> wrote:
I think your solution means that if a non tls connection was
initiated, it would be accepted and mail would flow through the VS.

Yes, although this is a quite standard setup; if you have an agreement
with a third party to encrypt traffic over the public Internet, it is
incumbent on both sides to ensure encryption, since you are using
protocols that work with and without it.

If you have a public MX that doesn't require TLS and a private MX that
does require TLS, and you want to completely block a certain party from
using the public machine, you have to make sure their source IPs aren't
even allowed to connect. (And what if they change IPs?)

Conversely, if you're not going to publish a public MX *at all*, then
disallow Anonymous on your single VS and restrict that VS (at the
firewall) to only accept connections from their source IPs.

I need to ensure that the TLS connection between my IIS SMTPVS and the
ISP is definitely TLS or I need an NDR needs to be generated.

NDR? Not really; you want the connection to be rejected by your MX. What
the ISP does next is up to them (I don't think in terms of the final
disposition of the message, just what I do with it).

For this reason, I believe 2 VS's are required. But how to configure
them???

One accepts Anonymous and the other doesn't. It's simple. Although
maintaining the rest of the the two-VS setup is more annoying than one
(two queues, sets of logs, etc.).

--Sandy

Thanks Sandy.
I will try using just the 1 VS first.
In doing it this way, if I only open port 465 on the firewall to the
IIS server and not port 25, this should achieve what I need - or is it
the case that port 25 needs to be open for initial communication?

- Jason.

.

Loading