--On Tuesday, September 09, 2014 9:02 AM +0200 Stefan Foerster
<cite+postfix-us...@incertum.net> wrote:
* Wietse Venema <wie...@porcupine.org>:
Viktor Dukhovni:
> Which works just fine with a single certificate, because TLS in
> SMTP in generally unauthenticated. If all the various domains
> share the same MX hostnames, many implementations that log
> "speculative" authentication results (no actual enforcement, just
> logging that a given session happened to appear to not be MiTMed)
> will match the MX host against the shared certificate.
I'd like to hear a bit more on this from other people than Viktor.
There is a difference between "technically perfect" (e.g., telling
everyone to adopt DNSSSEC and DANE or else don't bother), and what
is "currently justifiable".
This isn't exactly what you asked for, but:
For us, there is very little interest from our customers when it comes
to securing the transport side of mail exchange. Most B2C customers
don't care (and probably most don't know). When it comes to our B2B
customers (we have several "white label" units and do provide
application services), we mostly encounter these scenarios:
We have 6 clients, primarily BSPs, wanting the cert setup for multiple
domains. For securing smtpd in general, we've had about 20 or so
interested clients, and have set smtpd_tls_security=may for zimbra.com as
well.
Interestingly enough, there does seem to be a number of hosts using TLS
when communicating with smtpd, including sites such as google, cloud9,
yahoo, hotmail, dropbox, linkedin, etc. We have 2,253 (non unique domain)
connections so far today using TLS over smtpd (vs 13,599 not using TLS).
So approximately 14% of all connections to our smtpd are using TLS now.
Hard to exactly extract how significant that is, since it'll depend on
traffic patterns, but it overall does indicate to me that securing the
smtpd layer is of importance to a number of organizations.
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
