I think the option of forcing TLS within a closed community is fine.
I think the option of forcing TLS on the wide-wide-internet is a
minefield for anyone who needs to communicate outside of a relatively
closed network... because Email supports fall-back-to-plain-text by
design, and it's hard to mandate that someone else adhere to an ideal
standard if they, at the end of the day, 'don't have to'.
Or to put it another way, I have to work on the assumption that when it
leaves my controlled domain, it could wind up transiting a plain-text
communications link. Opportunistic TLS covers >99% of my email, but I
have to plan for the 1%. There's no assurance.
Until there is, because literally everyone can be assumed to have it.
It might be a better win to start by using TLS transit as a spam scoring
mechanism... reduce the priority or deliverability of email that
originates from a non-TLS platform.. consequences that aren't the same
as a black-and-white refusal might be enough to compel a change in
behavior.
Email for me is still a fundamentally untrusted information exchange
medium, if I have a real requirement for security i'm going to have to
add layers on top. And because of that, I can officially 'not care'
about a failure to support STARTTLS, because I always assume that'll
probably be the case at some stage anyway.
Regards,
Mark.
On 2020-08-27 08:33, Scott Mutter via mailop wrote:
> Well, I really just wanted to see what the rest of the community was doing in
> regards to this. Seems the resounding answer is a "prefer TLS, but don't
> disqualify if no TLS" or "opportunistic" TLS.
>
> However, experience has also taught me, if you don't force people to make
> changes then they're not going to change. In regards to that, maybe this
> never becomes an issue. But if the point is to go all TLS all the time,
> you're going to have to publicly shame those that are dragging their feet or
> just cut off communication with them entirely. Maybe some of the
> administrators to these mail servers don't realize that their mail servers
> aren't handling STARTTLS and bringing awareness to that (in the form of their
> users not receiving all of their emails) is a way to light a fire under them.
>
> I just wanted to gauge what other mail server administrators were doing in
> regards to this. The response is kind of what i expected, but the shift in
> wanting TLS and encryption on every connection, kind of made me question what
> the response would be.
>
> On Wed, Aug 26, 2020 at 3:02 PM Michael Orlitzky via mailop
> <mailop@mailop.org> wrote:
>
>> On 2020-08-26 12:50, Scott Mutter via mailop wrote:
>>> I've been toying with the idea of forcing outbound SMTP connections to
>>> use TLS, but thought I'd take a quick look and see who might miss mail
>>> if this done.
>>
>> This sounds good at first but if you make a flow chart, all paths lead
>> to either "nothing changes" or "shoot yourself in the foot." There's no
>> scenario that I know of where forcing TLS (as opposed to "opportunistic"
>> TLS) improves anything.
>>
>> _______________________________________________
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
