Re: how to refuse un-encrypted email

Sun, 07 Jun 2015 11:56:56 -0700 

On 7 Jun 2015, at 0:08, Chuck Peters wrote:


Bill Cole said:

On 3 Jun 2015, at 9:15, John Allen wrote:


Is there any way of testing for and refusing un-encrypted email?


The generic answer is "yes" but you need to define what you mean to
pick a mechanism.

If you mean email must be sent and received over an encrypted
transport, e.g. TLS, it is simply a matter of 2 postfix settings:

smtp_tls_security_level=encrypt
smtpd_tls_security_level=encrypt


Would this also require checking DANE and/or a signed certifcate?


No. Encryption and authentication are independent.


Is further Postfix configuration required?
Well, yes, in that you need a certificate of some sort to make TLS encryption usable. There's probably some obscure anonymous ephemeral-key mode that could work in theory without any cert, but if you wish to discuss such hypotheticals, there's probably a wall nearby more up to that discussion than I am.
However, my assumption is that anyone asking about mandatory encryption already is set up to support opportunistic encryption with a wide range of peers, so they'd already have a cert set up. 


Note that using those will BREAK YOUR MAIL SERVER for normal use and
violate RFC2487, which defines the STARTTLS extension to SMTP. Many
SMTP servers still do not support TLS; requiring it with no
plaintext fallback means no mail to or from those peers.


RFC2487 is obsoleted by RFC3207.
Which did not change the relevant language. Requiring encryption violates the specification of the STARTTLS extension to SMTP, and always has. Almost certainly always will. 


Why not create another RFC for a DNS TLSMX record?


Go for it. Have fun. I sincerely wish you good luck.


TLSMX
Encryption as specified in RFC 3207 is required and unencrypted email is not accepted. 
Forward secrecy is required.
Strict TLS validation is required by first checking for TLSA and then a strictly validated cert. 

Or am I missing something obvious?
Have you ever been involved in a RFC process? Have you ever tried to get a new DNS RR-Type enshrined in a RFC? Are you familiar with the history of the SPF type?

Reply via email to