On Fri, 2014-08-08 at 15:36 +0200, Reindl Harald wrote: > Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos: > > Postfix is a different kind of beast though. It does not typically use > > TLS, but uses some kind of opportunistic security that allows anonymous > > ciphersuites. So it's a bit hard to enforce anything there, as > > man-in-the-middle attacks are possible by design > > and keep in mind in case of opportunistic TLS if you restrict > ciphers and the SMTP client don't support what you offer it > falls back to completly plaintext which defeats the intention [...] > in short: > MTA's acting as public MX must not enforce default TLS policies > from the distribution shipping the package Not really. I'd expect a mail server to always connect with TLS to servers that it has previously connected with TLS to. Otherwise I could always see the plaintext messages by blocking any TLS communication. Nevertheless, this is application policy, and the system policy does not apply here. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security