See bottom post below. On Wednesday, December 4, 2019 2:24:51 PM PST Phil Perry wrote: > On 04/12/2019 22:03, Lists wrote: > > I have a goal of securing email. Updated the company mail server and DNS > > (CentOS 7 + Postfix, otherwise pretty stock) with support for SPF, DKIM, > > and DMARC. So far, all good, and everything "just works". > > > > Our mail server has supported SMTP / TLS for a long time, but recently > > I've > > been considering requring TLS all the time. > > > > Is there anybody here who's done this? Has it caused any particular > > fallout? I'm curious about: > > > > 1) Requiring SMTP / TLS for any inbound email. > > > > 2) Requiring SMTP / TLS for any outbound email. > > > > Thanks > > The obvious consideration is that if the other server does not offer > tls, the connection will fail and you will not be able to communicate. > > Further RFC2487 states that enforcing tls must not be used on public > facing mail servers. > > So if you want to enforce tls to ensure encryption on purely internal > mail servers, that is fine but your external facing smtp servers must > not enforce tls. > > See the Postfix tls documentation for more information: > > http://www.postfix.org/TLS_README.html s there a useful defense against STARTTLS being stripped from unencrypted communications? https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks Our company sometimes does business in countries hostile to encryption and if there's a means to enforce this appropriately, I'd like to implement it. Seems to me something like a DMARC DNS TXT flag would be appropriate for this. smtptls=none|any|required; ? But that's just an idea.
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
