On 12/04/2019 19:36, @lbutlr wrote:
On 12 Apr 2019, at 10:42, micah anderson <mi...@riseup.net> wrote:
"@lbutlr" <krem...@kreme.com> writes:
On 12 Apr 2019, at 08:46, micah anderson <mi...@riseup.net> wrote:
he site https://hardenize.com provides relatively decent Email reports,
along with other reports. It checks a number of things including certs,
MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then also TLS. These are all
good checks and recommendations, with the exception of the TLS one, I do
not see how its possible to meet their standards, and provide an email
server on the internet. However, I could be wrong, so I'm interested to
know if I am.
I'm not impressed. It complains that STARTTLS is not available on my server. It
is true it is not available on port 25, ut is available on port 587 where it
should be.
Since they are not testing submission, this seems correct.
It is not correct to classy this as a warning.
You have disabled STARTTLS on port 25 and only accept unencrypted
connections there?
Actually, no. STARTTLS is on port 25 for servers, but hardenize reports it's
not available, which for some reason this morning I thought was an indication
it was testing it as a login feature. I do not allow logins on port 25.
I too find that hardenize complains about my STARTTLS without any
details as to why. Like @lbutlr (and most of us) I offer STARTTLS on
port 25 but not AUTH. However I see this message in my log after the
test ran, I think hardenize is hitting my server too hard and maybe that
is why it is (wrongly) saying there is a problem with the server:
2019-04-13 07:36:23 streamingbats postfix/smtpd[19724]: warning:
Connection rate limit exceeded: 31 from
outbound.hardenize.com[18.233.176.231] for service smtp
