[mmorse]

Or the new 'redirect' mode. (Won't have to type that extra s in the url either - it's automatic.)

What we're saying is besides just the logins there may be more important things in the body of your emails to protect.

Also might upgrade that 5.0.9 > 5.0.16 (As some of the third-paty products we bundle occasionally have fixes for their own flaws.)

Now why have 'mixed' mode at all? Secure sessions do use a little more resources on both ends, and often browsers are configured to not cache data as long for https sessions. So some just want it for the auth part only.

Make sure your self-signed certs are current (there's a section in the admin console), or you can add commercial certs so users aren't prompted for an extra security confirmation. It's more of an identity trust issue than an actual encryption difference.

Unless your talking thousands of users probably no need to tweak zimbraHttpSSLNumThreads (50) the counterpart to zimbraHttpNumThreads (250). (Examine your access logs and look at concurrent connections/sec at peak.)