I'm not sure I'm brave enough to force forward secrecy in my Exim config just yet -- I can't find an option to log handshakes (unless it is logged as part of the message logs -- which can be kept) -- but I suppose refused messages would show up in the reject log.
Still, I'm not sure if I'm even ready to force SSL at all... for incomming SMTP. Sounds like a good way to break your email infrastructure (and reduce spam ;-).
Essentially mail transport is pretty much unencrypted -- I see SSL/TLS having potential to help fight spam by forcing some form of authentication (via DNS sec, CAs etc) -- but not really a useful tool for securing email from snooping -- for that I would advocate S/MIME and/or GnuPG (Gnu Privacy Guard).
Still, I'm not sure if I'm even ready to force SSL at all... for incomming SMTP. Sounds like a good way to break your email infrastructure (and reduce spam ;-).
Essentially mail transport is pretty much unencrypted -- I see SSL/TLS having potential to help fight spam by forcing some form of authentication (via DNS sec, CAs etc) -- but not really a useful tool for securing email from snooping -- for that I would advocate S/MIME and/or GnuPG (Gnu Privacy Guard).