(Non-US) lawyer here, chiming in after the itch became to strong. Initially I wanted to stay out of this debate, the solution of which is obviously non-technical and probably OT.
DISCLAIMER: THE FOLLOWING IS NOT LEGAL ADVICE. On 16-07-16 11:04 AM, /dev/rob0 wrote: > You have already discarded STARTTLS from your EHLO reply for packet > radio clients, and I think even that is going a bit too far. In my view, that's the maximum extent to which an SMTP server operator can be held liable. I'd disable STARTTLS and forget about the rest. Principle of the rule of law: if a law can't be possibly followed, no court in a rule of law country will enforce it. There is enough indication in this thread that it is technically impossible to prevent users from concealing the content of their communication while using your SMTP server. > If your interpretation of these FCC rules is accurate, you really > can't offer any kind of connection to the Internet in any way, even > indirect. You can't possibly anticipate all kinds of cryptography > and steganography. It is indeed a matter of interpretation, and I would like to see the FCC rules text. Questions: (1) how do they define "encrypted"? (2) on who is the obligation imposed? Imposing the onus on the SMTP server operator is like imposing the onus on gas stations for fueling vehicles used in criminal endeavors. It does not fly because the gas station can't possibly know what the user will use the vehicle for, other than (probably) driving. By the definition of encryption, an SMTP server operator can't possibly know that a message is encrypted unless the end-user is kind enough to say so, e.g. in the MIME headers. > Don't let them push you down this slippery slope. If you are really > worried about it, call the FCC or a private attorney and get a solid > interpretation. If I was the SMTP server operator and they came to me, I'd tell them to take a walk. If they came back and fined me I would not pay and tell them to take a longer walk. If they came back and sued me, I would defend in court and argue that the rule is not enforceable against the SMTP server operator because technically impossible to comply with. I would tell them to take an even longer walk until they may guess that the rule may be enforceable against the end-user. If they came to me and ask for the end-user information, I would tell them to get a warrant. If they showed me a valid warrant, I would dump on them my log files (or a justification why I do not keep log files) and tell them good luck. Yuv
