> What do you think about the other one?
> Not for the next release (I'm really looking forward to a stable
> v3.10, so it's great news that you have frozen the code )
>
> but as an idea for the future releases?
I just opened a discussion with Viktor about working towards a
future where SMTP over authenticated TLS is the norm.
- Enforce DANE if available (allowing for hybrid case)
- Else enforce STS if available
- Else enforce { secure, match=nexthop,dot-nexthop }
Custom policies will be needed for sites that are an exception from
the norm (including the case of no TLS).
We already have the technical nuts and bolts for all of the above,
we just need to provide a 'happy path'(*) for easy adoption.
Like Postfix, Viktor's $WORK is in a code freeze, so we'll continue
the discussion later.
(While implementing RFC 8689 REQUIRETLS which requires *authenticted*
TLS and REQUIRETLS support with every hop in the forward delivery
path, I realized that the world is not ready for it; REQUIRETLS may
end up in Postfix 3.11 if I can blunt the sharp edges.)
Wietse
(*) low friction; easy to do the right thing; etc.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
