Re: Has rfc2487 been obsoleted and mandatory TLS in smtpd is now kosher?

Wed, 28 Jul 2021 07:58:01 -0700 

Hi


imho this is a single case. Enforcing TLS on a public faced smtp port
makes no sense to me. Except if you want to reject quite a bunch of mail :-)
Sure TLS encrypted connections are preferable but to enforce it on an
incoming smtp server is sportive. They would better leave smtpd
encryption on may and deploy a proper DANE setup instead.

Sure it's their servers so their rules applies. Everyone is allowed to
shot own foot ;-)

Cheers

tobi

On 7/28/21 4:39 PM, Josh Good wrote:
> Hello everybody.
>
> I've been made aware of this communication recently received at some
> site whose email is managed on-premises (i.e., not outsourced to any
> big mailbox provider in the "cloud"):
>
>> From: Rhenus Logistics <no_re...@es.rhenus.com> 
>> Sent: 30 June 2021 17:05
>> To: [omitted]
>> Subject: Email con TLS inferior a 1.2 / Email with TLS less than 1.2
>>  
>> Good Afternoon,
>> We inform you that due to Rhenus security policies, as of 08/01/2021
>> receiving of emails that do not comply with version 1.2 of the TLS 
>> protocol will be restricted.
>> All emails sent in particular to the domain @es.rhenus.com and in 
>> general to any Rhenus domain @*.rhenus.com must be sent with the TLS 
>> 1.2 protocol or higher.
>> Any mail received without fulfilling this condition will be rejected 
>> by our server.
>> Please forward this message to your IT department for consideration 
>> and action.
>> If you have any questions, please head over your Rhenus contact
>>  
>> IT //SERVICES
>
> The above could mean that starting 08/01/2021 their TLS support will
> only support TLS 1.2 (and not any earlier TLS version) with their
> inbound SMTP servers remaining configured in "opportunistic TLS" mode
> --- or it could be read as if they will enable "smtpd_enforce_tls = yes"
> (or "smtpd_tls_security_level = encrypt") in their inbound SMTP servers
> (I don't know if they are using Postfix, but you get what I mean).
>
> If the case is the second one, is that a current trend? Has rfc2487
> been obsoleted and mandatory TLS is now considered "industry standard"
> in publicly-referenced SMTP server?
>
> I've tried to contact Rhenus IT Services to inquire about this, but my
> phone calls haven't gone through. So I thought I may as well ask this
> list if this a single case or the "new normal"...
>
> Regards,
>

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to