i've
$ postconf mail_version
mail_version = 3.10.5
recent help on list here
My take is that for most users that is the wrong tradeoff. A sensibly
robust setting with better longevity serves most users better than a
fine-tuned point-in-time optimisation for unrealistic threats.
convinced me to stick with PFX TLS cipher list defaults.
so that's the 'which TLS' bit.
next step here is a re-visit of TLS-always-or-not.
checking, pfx inbound TLS security level policy defaults to
$ postconf -d postscreen_tls_security_level smtpd_tls_security_level
postscreen_tls_security_level = $smtpd_tls_security_level
smtpd_tls_security_level =
https://www.postfix.org/postconf.5.html#smtpd_tls_security_level confirms
smtpd_tls_security_level (default: empty)
and instructs to
Specify one of the following security levels: (none, may, encrypt)
where for == "encrypt",
" ... According to RFC 2487 this MUST NOT be applied in case of a
publicly-referenced SMTP server ..."
i understand the RFC.
i'm interested in understanding the current state of IRL affairs ... and
whehter the 'security hats' driving the email RFCs etc are moving on that
recommendation/requirement.
considering ( as i do somewhat frequently ) use of postfix inbound config that
instead contains a stricter,
[mx.example.net]:25 inet n - n - 1 postscreen
-o postscreen_tls_security_level=encrypt
-o smtpd_service_name=ps-int
...
ps-int pass - - n - - smtpd
-o smtpd_tls_security_level=encrypt
...
where, all non-TLS inbound email is refused.
yes, i understand there's "some" risk.
reading, Google's Trasparency Report
https://transparencyreport.google.com/safer-email/overview?hl=en
claims both 'many ...'
"Many email providers don’t encrypt messages while they’re in transit."
and shows Google-specific stats, for period 8/9/2025 -> now,
Outbound email encryption: 96%
Inbound email encryption: 100%
which, to me, reads "low single digits %-age" rather than "many".
i'd guess that'd not a terrible model of the general email landscape.
as for that fraction, even back in 2023, an APNIC report
https://blog.apnic.net/2023/03/02/not-that-simple-email-delivery-in-the-21st-century/
suggests that non-TLS skews heavily -- again, not exclusively -- to spam.
i'd guess that that's gotten more, not less, true since.
running my own logs over the past year show << ~ 0.5% of inbound no-TLS from
known/valued partners. in cases where i've tightened policy to == encrypt, almost all
of those partners have reached out / notified through other channels within < 3-4
rejections. those outliers that don't reach out, and don't respond when notified, i've
(sometimes) selectively whitelisted.
i'm leaning to migrate further-if-not-completely to an inbound "== encrypt"
TLS-required policy.
unless i'm missing something ...
have the "tea leaves" changed?
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
