Would a guru comment on my "interpretation" of these documents?
1) It looks to me that starttls really only protects the path to the first server. Classic case being sending email over the non-secure coffee shop wifi. 2) Mail between Google/yahoo servers will enforce TLS, but other transit may not? My view of starttls email is this. At best, you only protect the endpoints. The snail mail analogy is you leave a message in an envelope for the mail carrier. That message makes it to the post office in the envelope. As the mail transits between post offices, some of those non-postal carriers may remove your envelope. The destination post office, should it find your message lacking an envelope, puts your message in another envelope, then delivers it. 3) I reviewed the DMARC. All my accounts have functional spf and dkim. If I set DMARC to quarantine, will my email at least be delivered? I've looked at dnssec, but it seems like I need a 2nd server to make it work. If not, can someone provide what they consider a good link on the topic? My understanding is only pgp or s/mime has end to end encryption. Original Message From: Viktor Dukhovni Sent: Saturday, April 9, 2016 2:03 PM To: postfix-users@postfix.org Reply To: postfix-users@postfix.org Subject: Re: reality-check on 2016 practical advice re: requiring inbound TLS? On Sat, Apr 09, 2016 at 08:46:54AM -0700, jaso...@mail-central.com wrote: > I'm setting up mandatory TLS policy for a couple of private client servers, > using > > - smtpd_tls_security_level = may > + smtpd_tls_security_level = encrypt > > I started wondering whether it wouldn't be a bad thing to require > ALL email delivered to my server, from anywhere, to use TLS. Your server, your rules, but be prepared to refuse a lot of legitimate email. https://www.google.com/transparencyreport/saferemail/ https://www.ietf.org/proceedings/95/slides/slides-95-irtfopen-1.pdf https://www.elie.net/publication/neither-snow-nor-rain-nor-mitm-an-empirical-analysis-of-email-delivery-security -- Viktor.
