Martin Thomson wrote in <60889b75-d47e-4f28-9268-9588afacf2de@xxxxxxxxxxxxxxxxxxxx>: |On Wed, Oct 30, 2024, at 13:54, Viktor Dukhovni wrote: |> Bottom line, will SMTP without STARTTLS still be SMTP or will it be |> out of spec, with MTA implementations under pressure to drop support for |> receiving/sending cleartext SMTP. | |This thread makes me feel like it's 2013 again. We had these debates \ |about the web and HTTP at around that time. | |This isn't some complex or nuanced thing. It's about whether the IETF \ |thinks that STARTTLS is necessary to address the threat model. Sure, \ |it isn't sufficient for email, but I don't get why a strong recommendation \ |isn't being made. Clearly, if you use unsecured SMTP to send mail \ |somewhere, there's a good chance that a) it won't get there, and b) \ |that it will get a lot of other places that you didn't intend. | |Some people think that it is OK to bury a statement like that in an \ |applicability statement. I don't see why there is a whole lot of push \ |back when the request is to have the main document say as much. I \ |don't see any request to mandate the use of STARTTLS, just to document \ |the security considerations in the Security Considerations section. Yes on that "applicability statement". And yes "strong recommendation". And yes to easy detection and usability. And the IETF failed to give any hints on that in the past, that MUST be said. Email has become an administrators nightmare. I say: email should be easy. It is neither DANE for many, as they cannot create the DNS entries, and though i like Viktor very much, we not long ago had a thread on postfix-users where people asked for DANE, and i am still "schwindelig" from all the "3 1 1" and not "2 1 1" (iirc) advises that were given. And i would think we are talking professionals here on both sides. And it is definitely not that MTA-STS, which requires a HTTP server and places crap (sorry) in the .well-known trashbin (sorry). The idea along is as if believing that rockets will it be that help us consuming (ie: developing) other planets: absurd!! No. Give it a SRV entry, it was designed for this purpose, and all other email protocols use it. Everybody can. Today. Thank you, --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | |And in Fall, feel "The Dropbear Bard"s ball(s). | |The banded bear |without a care, |Banged on himself fore'er and e'er | |Farewell, dear collar bear -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
