Re: Forcing TLS for SMTP?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



See bottom post below.

On Wednesday, December 4, 2019 2:24:51 PM PST Phil Perry wrote:
> On 04/12/2019 22:03, Lists wrote:
> > I have a goal of securing email. Updated the company mail server and DNS
> > (CentOS 7 + Postfix, otherwise pretty stock) with support for SPF, DKIM,
> > and DMARC. So far, all good, and everything "just works".
> > 
> > Our mail server has supported SMTP / TLS for a long time, but recently
> > I've
> > been considering requring TLS all the time.
> > 
> > Is there anybody here who's done this? Has it caused any particular
> > fallout? I'm curious about:
> > 
> > 1) Requiring SMTP / TLS for any inbound email.
> > 
> > 2) Requiring SMTP / TLS for any outbound email.
> > 
> > Thanks
> 
> The obvious consideration is that if the other server does not offer
> tls, the connection will fail and you will not be able to communicate.
> 
> Further RFC2487 states that enforcing tls must not be used on public
> facing mail servers.
> 
> So if you want to enforce tls to ensure encryption on purely internal
> mail servers, that is fine but your external facing smtp servers must
> not enforce tls.
> 
> See the Postfix tls documentation for more information:
> 
> http://www.postfix.org/TLS_README.html

s there a useful defense against STARTTLS being stripped from unencrypted 
communications? 

https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

Our company sometimes does business in countries hostile to encryption and if 
there's a means to enforce this appropriately, I'd like to implement it. 

Seems to me something like a DMARC DNS TXT flag would be appropriate for this. 
smtptls=none|any|required; ? But that's just an idea. 

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux