> Well, spamd never actually tries to deliver mail.  In a normal
quoted text
> scenario, the hosts that will talk to spamd are ones that have never
> delivered mail to your site before (greylisting) or the ones we know
> are trying to deliver spam (already blacklisted somewhere, greytrapped
> etc).
> 
> I suppose the day may come eventually when spammers will only try to
> deliver if the other side announces TLS available, but we're certainly
> not there yet.  It's a lot more useful to keep it simple: set up your
> real mail server with TLS and forget about complicating the path to
> spamd.  After all, it's only the whitelisted hosts that will actually
> need a secure connection.
> 
Doh! I had a bit of a homer moment from rushing things.

I'd even wrote most of the pf.conf and still didn't consider the rdr-to
white rule. I read in the mailing list that spamd didn't work with
starttls and didn't need to because it would fall back. I didn't look
closely enough and missed the point about white listed being passed
straight through. I was also thrown a bit by assuming (something I
usually try my best not to do) that allowed domains applied to all
connections, but it only applies to grey. Sorry for the noise and
thanks for ironing me out.

quoted text
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team

Do you not think it would be better for mail servers to try ssl on one
port and then plain on port 25 if a rst or timeout occurs. Then it
would be harder for attackers to force falling back to plain and
forcing only tls would be easier.