Ross Becker wrote:
Looking at the ssl_mode options, there doesn't
appear to be a
none_outgoing, which is what I believe I want.
Read the man page again.
If you specify ssl_listen only, then outoing is unencrypted by default.
We fine-grain each protcol, with 4 config files:
perdition.imap4.conf
perdition.imaps.conf
perdition.pop3.conf
perdition.pop3s.conf
Our setup is actually the reverse, we enforce all backend
connections to the server to SSL. The penalty of encryption
to backends is IMO overstated and a waste of time to pursue.
Setting up a private network to keep all your passwords from
being sniffed sniffed blah blah is a common solution, but it's
spending dollars worth of man-hours to save a few pennies.
SSL imposes at most a 20% overhead on CPU these days.
This is not the 90's unless you are trying to run 10K users on
a Pentium III you will not run out of CPU.