On Mon, Sep 14, 2015 at 10:32:46AM +0800, Ken Peng wrote:
> All our MX servers can be setup with tls secure.
So the servers in question are inbound MX hosts accepting mail from
other domains on port 25? And you were asking a question about
securing inbound mail?
If so, why were you asking port 465? That's a legacy (and perhaps
also future) submission service for mail *from* your users to other
domains, not from other domains to your users.
> But as people have said in the list, we should accept the messages which are
> not encrypted otherwise it will break RFC.
Only if you make clear which mail flow you're talking about.
> If the peer MTAs send messages to us, with non-encrypted content, these
> messages should not be secure at all, regardless they are stored within our
> systems with/without encrypted.
Now you seem to be confusing transport encryption (i.e. TLS) with
end-to-end message encryption (i.e. S/MIME and/or OpenPG).
> Here the gov etc owns strong wiretap technology. They don't have to go into
> our systems, but do the wiretap on internet, will get everything they want,
> unless the transfer is also going with strong SSL.
>
> This is what I actually want to ask for, about the transfer secure.
I can only keep repeating myself. There are multiple contexts in
which SMTP transport is used. Unless you can explain, in detail,
which use-case you're asking about, you'll get bad or no advice.
Even for MTA to MTA, we have:
* Public MX host for inbound mail
* Internal MX for edge to mail store delivery
* Internal MX mail store to edge smarthost/relay
* Private MX for business partners
...
What's possible and what's best-practice depends on the details.
--
Viktor.
