Are you aware that SSL on port 636 is now considered deprecated in favor of START_TLS on port 389?
No, I'm not (I actually thought that it was the other way round)
I found it practical to have a port (389 or equivalent) that I could authorize via iptables only on the local network., and another one (636 or equivalent) that could be accessed from outside.
What are the pro and cons of both approaches?
Comments more than welcome!