Douglas, In general, you can’t impose or mandate TLS under PORT 25 unsolicited, unauthenticated sessions. You can do this with ESMTP AUTH a.k.a SUBMISSION Protocol (RFC6409) which is Port 587. Under this port, you can mandate more Authentication/Authorization and mail format correctness than with Port 25 and not using ESMTP AUTH.
So for example, for PCI, you must use A/A mechanisms probably under Port 587 because it can be mandated. But not under Port 25. — HLS > On Apr 27, 2023, at 7:04 AM, Douglas Foster > <dougfoster.emailstanda...@gmail.com> wrote: > > There are options on TLS failure. > > Mandatory TLS is actually pretty common, since PCI DSS, HIPAA and GDBR have > all been interpreted as requiring TLS on email. For outbound mail, our MTA > is configured to drop the connection if encryption cannot be established. I > think this configuration option has become pretty common in commercial > products. Domains that cannot accept encrypted traffic are handled with > secure web relay (Zixmail or one of its many imitators.) In the case of a > report recipient that cannot accept TLS traffic, we would simply drop the > destination. > > For inbound mail, my organization has concluded that data security is the > responsibility of the sender, so we do accept unencrypted messages. > > By and large, mandatory TLS will be implemented consistently, rather than on > a specific message like a DMARC report, so I don't know how much needs to be > said in this document. > > Doug > _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
