On 16/03/2012 11:57, Wietse Venema wrote:
Ed W:
Therefore I'm suggesting that the out of the box config matches the
*RFC*. Then if the mail owner wants to lock it down to some non RFC
suggested spec they can read the instructions.
SHOULD does not forbid mandatory TLS; only a twisted mind will read
this as "support for plaintext is required". Besides, RFCs are not
the only relevant guidelines. There are plenty other guidelines
that frowm upon plaintext passwords over plaintext connections.
Wietse
My understanding is that the proposed settings would require TLS even in
the event of encrypted password exchange?
There are plenty of reasons to *dislike* non TLS connections, but
*banning* plain text seems harsh?
Unless I missed something there should also be no RFC complaints with
accepting TLS over port 25? I believe I have my postfix currently
configured this way.
Personally I would vote for "smtpd_tls_security_level = may" to become
part of the default postfix config (or is it... durr..) so that every
service can accept TLS by default. In fact, what objection would you
raise for this even to become the default for all services where it
makes sense? Then the config can switch to either forcing it off/on as
the owner feels fit?
