Hi Nico, I'm a bit worried about offering/selling IPv6-only "email" services to customers, fully independent of your web of trust idea:
A large fraction of the SME (small and medium sized enterprises) and public service operators, whose networks I know from supporting some business-related software, are IPv4-only in their LANs / intranets, including their mail services. They send their normal business mail, order confirmations, parking ticket receipts, etc. over these networks. And pressure from the management / business-side to set up IPv6 in addition to the working IPv4 infrastructure is very low. So you should make clear to your email service customers, that they won't be able to receive 100% of common Internet email. Even if it was maybe 95 % due to most people using GMail etc., it won't be 100 %. Moreover, the lack of being able to receive and send IPv4 email is just done by choice for ideological agenda reasons and not because it's not possible from a technological point of view. I totally agree with Jaroslaw Rafa who wrote: > Of course, you can build such a thing, but please don't call such service > email anymore, as it contradicts the basic principles of email. Also if you > call that email, you will be misleading your users [...] None of the SME, I've mentioned above, will bother to set up some special IPv6 gateway VPN or whatever for a single certain customer who is unlucky to have been sold a special IPv6-only "email" solution. This probably would only cause your support capacities being consumed by "Help, I didn't receive the invitation/invoice/...!" tickets. Just one hour of IT support being consulted is far more expensive than having an IPv4 IP address for the mail gateway of your service. And I don't think security is a well-grounded reason to be IPv6-only because it's as weak as other "security by obscurity" approaches. And we should remember to consider ourselves as friendly supporters and business enablers. ^^ The stereotypes about grumpy, unhelpful IT staff are due to exactly this attitude: "Dear colleague, I'm missing 10 emails that municipality XY said to have sent to me." - "Pfff, our mail gateway is IPv6 only to keep the trash out. Tell them to migrate to IPv6." - "Eeehm, what?! O_o And how do I get my documents now? Thanks for nothing." Yours, Reg Bbbarclay > Gesendet: Dienstag, 15. Oktober 2024 um 11:28 Uhr > Von: "Nico Schottelius via Postfix-users" <postfix-users@postfix.org> > An: "Jaroslaw Rafa via Postfix-users" <postfix-users@postfix.org> > Cc: "Jaroslaw Rafa" <r...@rafa.eu.org> > Betreff: [pfx] Re: [RFC, sketch] IPv6 only trust of mail network > > > Jaroslaw Rafa via Postfix-users <postfix-users@postfix.org> writes: > > > Dnia 15.10.2024 o godz. 12:36:12 Nico Schottelius via Postfix-users pisze: > >> > >> You got a point there, there would be a barrier between classic email > >> and "secure email" (or whatever term comes to one's mind). > >> > >> Actually a bit similar as the split between the IPv6 and IPv4 world - > >> hence my argument for going IPv6 only might be even more valid. > > > > Your comparison to IPv6 vs IPv4 isn't very good, as everybody tries to do > > their best to level the barrier between IPv6 and IPv4, not strenghten > > it. > > tbh, I think this is only true to a small degree for DS-Lite approaches > using MAP-T or NAT64. > > > That's why dual stack still is (and probably will be in the foreseeable > > future) still a thing. > > I think you are very mistaken on that one, as dual stack complexity is > significantly higher than single stack. > > > Nobody is setting up IPv6-only servers, unless they are experimental servers > > meant to be used only by closed group of users, and not generally reachable > > from the Internet. Who would like to setup eg. an IPv6-only website, thus > > cutting themselves off of half of the Internet? > > I could send you quite some documents about IPv6 only hostings, but I > believe that is really going too far offtopic. In a nutshell, IPv6 only > hostings are much easier, more sustainable and the only thing that you > need is a border gateway/translator, if communication to the IPv4 world > is required. > > > [...] > > > Do you plan to add to your system some kind of gateways between the "secure > > email" and the "normal email" world? > > > > If yes, that kinda defeats the purpose you are building it for. If no, then > > you are cutting yourself from half of the Internet. I don't see a third > > option here... > > There is a very easy yes-and-no at the same time answer here: > > - Within the "secure mail" network, there will be no connection to > legacy systems > - However operators can choose to connect their "normal email" system > internally to securemail > > This way forwarding is not enabled, but legacy systems can interact with > secure email systems, if the operator is able to reach out. So graphical > seen: > > example.org (secure email) --[ internal ]--- example.org (normal email) > | > | > | > example.com (secure email only, allows access from example.org) > > Hope that makes sense. I can add further clarifications off list to keep > it postfix focused. > > BR, > > Nico > > > > -- > Sustainable and modern Infrastructures by ungleich.ch > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
