On Sat, Apr 9, 2016, at 09:33 AM, li...@lazygranch.com wrote: > Per the DROWN mitigation, I stopped allowing sslv2 and sslv3
Did that as well. Actually before even that point. > so I made it a point to read the headers and look for encryption issues. I admit I never even bothered to look for the effects of that^, voting instead for the BOFH-inspired "screw-em" approach. In retrospect, I've never ended up missing a mail that made a tangible difference as a result. > My conclusion is there is always "that one guy" that doesn't use encryption. > In my case, literally one guy. Not being able to get his "regular" email to > work, I got him to switch to gmail. > > This is on my personal server. If you have customers, then each customer can > have that "one guy", so it depends on how much time you want to sink into > getting a third party to encrypt. Points made. I'm not a provider, but do have clients. I guess I'm thinking about how long to mollycoddle folks still in the dark ages, clients or not. > I also made it a point to look for use of SPF and DKIM. Excluding the > spammers that got through, nearly every user had both SPF and DKIM, but not > all. One lacking SPF is a new business partner. The account without DKIM was > a commercial vendor. My point here was I had considered setting up policies > to reject email that didn't have both SPF and DKIM, but doing a survey > realized there would be real situations where legitimate email would not get > through. One person I know uses pobox.com, and that fails SPF. I block on strict FAILs of any if SPF, DKIM or DMARC. *missing* support for those is logged, but not - yet - acted on. > I think policing everyone's email set up will lead to a lot of busy work. True. One option is to stop policing, make sure MY postfix provides correct error-messages, and leave them to their own troubles. Thanks for the comments. 'Someone' out there has some thorough statistics ... Interesting to know a bit more. Jason
