Bill Cole said: > On 3 Jun 2015, at 9:15, John Allen wrote: > > >Is there any way of testing for and refusing un-encrypted email? > > The generic answer is "yes" but you need to define what you mean to > pick a mechanism. > > If you mean email must be sent and received over an encrypted > transport, e.g. TLS, it is simply a matter of 2 postfix settings: > > smtp_tls_security_level=encrypt > smtpd_tls_security_level=encrypt
Would this also require checking DANE and/or a signed certifcate? Is further Postfix configuration required? > Note that using those will BREAK YOUR MAIL SERVER for normal use and > violate RFC2487, which defines the STARTTLS extension to SMTP. Many > SMTP servers still do not support TLS; requiring it with no > plaintext fallback means no mail to or from those peers. RFC2487 is obsoleted by RFC3207. Why not create another RFC for a DNS TLSMX record? TLSMX Encryption as specified in RFC 3207 is required and unencrypted email is not accepted. Forward secrecy is required. Strict TLS validation is required by first checking for TLSA and then a strictly validated cert. Or am I missing something obvious? https://tools.ietf.org/html/rfc2487 https://tools.ietf.org/html/rfc3207 Chuck
