On 13/01/2014 07:24, sharfuddin wrote:
> We have implemented a TLS Certificate(by Symantec) with our Mail
> Servers. Now how can I make sure that Mail Servers of a few other
> organizations that uses TLS(by CA), and my Mail Servers always
> communicate securely using Certificate.
> Do we need to exchange the certificates ?
No, but be aware the easiest MITM attack is to just mask the initial
STARTTLS capability in the EHLO response; opportunistic TLS will then
not bother to start an encrypted session, and send the whole thing in
plaintext. This of course requires MITM interception of the session
though, rather than passive data monitoring.
Few if any email servers enforce TLS, and some (like GWIA, last I
looked) don't even check the certificate....