Should I use SSL for a receive only SMTP server?
Yes. SSL/TLS should be used on receiving mail. MITM is possible, though requiring DKIM authentication should prevent this from manipulating the message. A signed certificate is the best way to mitigate MITM, and they are free with Let's Encrypt and easily automated if you are using a platform that supports it.
What comes to SMTP, TLS is not bulletproof for preventing MitM, because the strong backwards compatibility allows self-signed certificates, older TLS and SSL versions, and even fallback to unencrypted connections. Because an SMTP connection to port 25/tcp always begins in plain text and requires STARTTLS
it is easy for a MitM to strip the 250-STARTTLS
, making the client believe the server does not support TLS. The DNS-Based Authentication of Named Entities (DANE, RFC 6698) addresses this problem, but must be supported by both parties.
That said, TLS is still useful with SMTP, because not using it makes MitM both easier and harder to detect. E.g., from the previous Received
header you should be able to see whether the connection was encrypted or not, along with the cipher suite used.
Yes, you should, if you domain has DNSSEC you should probably deploy DANE also,