Correction: my numbers were off because I used case-insensitive search.
robg...@nospammail.net:
> Hello,
>
> I am starting to setup a Postfix server for our office.
>
> I'm looking at TLS policy.
>
> Reading old posts on the Postfix mailing lists there's lots of
> comments that REQUIRING tls should never be done on an public
> internet-facing server.
>
> But those comments are from 5-7 yrs ago.
>
> Is that still the case?
Your server, your rules...
> On a friend's server we just checked 3 months of logs. IIUC there's
> been no non-TLS connections at all in that time:
>
> grep -i "connection established" postfix*.log | wc -l
> 125217
>
> grep -i "connection established" postfix*.log | grep -v TLS | wc
> -l
> 0
>
> First, is that a legitimate way to check?
No, because "connection established" is logged only for TLS
connections. You'd also have to count the lines with "connect from"
which covers both TLS and non-TLS.
On my tiny server, only 43% of all inbound connections in June 2017
used TLS (a negligible portion of the "connection established" lines
were from tlsproxy).
And that is only for the 4.9% of connections that weren't blocked
by postscreen (25% of all unique clients).
If I were to block non-TLS email, I would miss a lot of email.
Wietse
