Viktor,
On 2015/9/14 ζζδΈ 11:16, Viktor Dukhovni wrote:
On Mon, Sep 14, 2015 at 10:32:46AM +0800, Ken Peng wrote:
All our MX servers can be setup with tls secure.
So the servers in question are inbound MX hosts accepting mail from
other domains on port 25? And you were asking a question about
securing inbound mail?
Yes they are inbound MX servers.
You are exactly right, we are talking about securing inbound mail.
If so, why were you asking port 465? That's a legacy (and perhaps
also future) submission service for mail *from* your users to other
domains, not from other domains to your users.
Sorry I was just not sure, if peer MTA (not MUA) can delivery messages
to us from port 465 (SSL enabled).
Also our commercial domain is not cloud-china.org (this is the one just
for my personal usage). From the company's policy I can't say whom i was
serving for.
But as people have said in the list, we should accept the messages which are
not encrypted otherwise it will break RFC.
Only if you make clear which mail flow you're talking about.
If the peer MTAs send messages to us, with non-encrypted content, these
messages should not be secure at all, regardless they are stored within our
systems with/without encrypted.
Now you seem to be confusing transport encryption (i.e. TLS) with
end-to-end message encryption (i.e. S/MIME and/or OpenPG).
I meant transport encryption (TLS/SSL).
OpenPG etc is for body encryption, this is not what I asked for.
Here the gov etc owns strong wiretap technology. They don't have to go into
our systems, but do the wiretap on internet, will get everything they want,
unless the transfer is also going with strong SSL.
This is what I actually want to ask for, about the transfer secure.
I can only keep repeating myself. There are multiple contexts in
which SMTP transport is used. Unless you can explain, in detail,
which use-case you're asking about, you'll get bad or no advice.
Even for MTA to MTA, we have:
* Public MX host for inbound mail
* Internal MX for edge to mail store delivery
* Internal MX mail store to edge smarthost/relay
* Private MX for business partners
...
What's possible and what's best-practice depends on the details.
* We are public MX hosts, there are hundreds of them as I have said.
they are deployed as distributed architecture.
* They are neither internal MX nor relay.
* For delivery agent we in fact wrote our own ones,not opensource, b/c
our storage service are not opensource, but with our own storage
architecture.
* not private MX, you can just think we are Yahoo/AOL etc, we have the
user base near to them.
Thx.
--
B. Regards,
Ken Peng - k...@cloud-china.org
