On Thu, Oct 24, 2024 at 06:34:16AM +0800, Wesley via Postfix-users wrote:
> $ postconf -d smtp_use_tls smtp_tls_security_level
> smtp_use_tls = no
> smtp_tls_security_level =
>
> Under these defaults, I am afraid if I don't setup them, Postfix will
> always talk to peer with plaintext, even peer supports starttls. Am I
> right?
Yes, of course, as documented. TLS is off by default, this is
backwards-compatible behaviour, and Postfix aims to not "surprise"
operators with unexpected new behaviour after an upgrade. Default
settings are in part also the responsibility of vendor distributions
that determine how the Postfix software is built, and what settings
are used in initial deployments.
Now perhaps at this point, we could (if Wietse concurs) change the
default security level to "may" when (almost always nowdays) TLS is
enabled at compile time. Gmail stats for TLS in/out are quite close
lately to 100% in both directions:
https://transparencyreport.google.com/safer-email/overview?encrypt_out=start:1356912000000;end:1729814399999;series:outbound&lu=encrypt_in&encrypt_in=start:1356912000000;end:1729814399999;series:inbound
- Outbound email encryption: 98%
- Inbound email encryption: 99%
The long tail outbound 0% outliers (used to include yahoo.jp, ...) are
increasingly marginal:
To: au.com 0%
To: ezweb.ne.jp via au.com 0%
To: gmail.com via 103.75.249.106 0%
To: juno.com via untd.com 0%
To: pdvsa.com 0%
To: plala.or.jp 3%
To: sina.com via sina.com.cn 0%
To: softbank.jp 0%
To: softbank.ne.jp 0%
To: tiscali.it 0%
The "gmail.com" via "103.75.249.106" is a bit puzzling, that's a
Vodafone IP address, so unclear why GMail would send mail to GMail via
that IP... And "juno.com" is disappointing, they are the first free
email provider that set the precedent for Hotmail, Yahoo and GMail. At
the time consumer email was dominated by AOL and your local ISP.
Shame on Tiscali that "tiscali.it" is a non-TLS service:
$ posttls-finger tiscali.it
posttls-finger: Connected to etb-1.mail.tiscali.it[213.205.33.61]:25
posttls-finger: < 220 cmgw-3.mail.tiscali.it ESMTP service ready
posttls-finger: > EHLO amnesiac
posttls-finger: < 250-cmgw-3.mail.tiscali.it hello [192.0.2.1], pleased to
meet you
posttls-finger: < 250-SIZE 104857600
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 OK
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 cmgw-3.mail.tiscali.it closing connection
> I ask this is b/c when i just run 'apt install postfix' to make
> Postfix as a relay for my another server (with most defaults setup).
> since I changed nothing on smtp_tls_* stuff, it always talk to peers
> with plaintext, and peer may reject this talk session (such as gmail
> server?).
Well, GMail does not reject non-TLS traffic on port 25, as you see above
still around 1% of their inbound traffic is cleartext. But to your
question, yes presently TLS has to be explicitly enabled. It is off
by default, just as was the case in 1997.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
