I think this goes back to Jon Postel’s theory of accepting liberally, but sending strictly. I.E. If you users or other MTAs and sending you bad or no encryption try to accept it to get the job done. If you are sending to other MTAs, try and send with the best possible encryption at least until you see it’s backfiring on you.
Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 > On Jan 8, 2021, at 8:12 PM, Ángel via mailop <mailop@mailop.org> wrote: > > SMTP uses _opportunistic_ encryption. It fails open.* > This has the unfortunate consequence that strengthening the encryption > often means to actually use no encryption at all. ☹ > The client mta attempts to negotiate TLS1.2, is unable to and ends up > sending the email in plaintext, when it could have been sent using > TLS1.0 with a weaker algorithm, vulnerable to some advanced > cryptographic attacks, or in some cases with an active MITM (which it > wouldn't detect anyway, since client's don't bother verify the > certificate*). > > It would have been preferable to let that go through even with a weaker > encryption. Of course, it could still be marked to the user as not > (properly) encrypted, a broken lock or whatever way you may convey that > to your users. If you do that, most providers don't report that in any > way, and users stay in their blissful ignorance (in which they are > probably happier, too). > > > Happy and safe 2021 to everyone > > > * I'm ignoring the population forcing encryption or implementing MTA- > STS. > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
