Per the DROWN mitigation, I stopped allowing sslv2 and sslv3, so I made it a point to read the headers and look for encryption issues.
My conclusion is there is always "that one guy" that doesn't use encryption. In my case, literally one guy. Not being able to get his "regular" email to work, I got him to switch to gmail. This is on my personal server. If you have customers, then each customer can have that "one guy", so it depends on how much time you want to sink into getting a third party to encrypt. I also made it a point to look for use of SPF and DKIM. Excluding the spammers that got through, nearly every user had both SPF and DKIM, but not all. One lacking SPF is a new business partner. The account without DKIM was a commercial vendor. My point here was I had considered setting up policies to reject email that didn't have both SPF and DKIM, but doing a survey realized there would be real situations where legitimate email would not get through. One person I know uses pobox.com, and that fails SPF. I think policing everyone's email set up will lead to a lot of busy work. Original Message From: jaso...@mail-central.com Sent: Saturday, April 9, 2016 8:47 AM To: postfix-users@postfix.org Subject: reality-check on 2016 practical advice re: requiring inbound TLS? I'm setting up mandatory TLS policy for a couple of private client servers, using - smtpd_tls_security_level = may + smtpd_tls_security_level = encrypt I started wondering whether it wouldn't be a bad thing to require ALL email delivered to my server, from anywhere, to use TLS. Reading at http://www.postfix.org/TLS_README.html It warns against doing this. You can ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption, by setting "smtpd_tls_security_level = encrypt". According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server. This option is off by default and should only seldom be used. That RFC, though, is from January 1999 http://tools.ietf.org/html/rfc2487 and afaict has been superceded by http://tools.ietf.org/html/rfc3207 from February 2002, which also says "A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally." It's 14 years later, and a lot's changed in SSL usage. Are there any later relevant RFCs that change this advice against forced TLS? Regardless of RFC, in today's "SSL everywhere" atmosphere, is this still good, practical advice? I've turned on smtpd_tls_loglevel=1, and will watch for awhile on my own servers. What do you 'real world' Postfix admins see/do these days? Jason
