-m...@openbsd.org +misc@opensmtpd.org [ Original mail thread - https://marc.info/?t=154229350300004&r=1&w=2 ]
Thank you Penty for pointing out the relevant RFC section. I was unaware of STARTTLS being optional. So I tried to understand the RFC requirement. > RFC 2487: > > A publicly-referenced SMTP server MUST NOT require use of the > STARTTLS extension in order to deliver mail locally. This rule > prevents the STARTTLS extension from damaging the interoperability of > the Internet's SMTP infrastructure. A publicly-referenced SMTP server > is an SMTP server which runs on port 25 of an Internet host listed in > the MX record (or A record if an MX record is not present) for the > domain name on the right hand side of an Internet mail address. RFC 2487 was written in Jan 1999. RFC 3207, which obsoletes RFC 2487, was written in Feb 2003. Both of these contain the above text. >From a purely security perspective, a mail received over TLS is preferable over a mail received in the clear. At the same time, there is a non-negligible risk [1] of dropping incoming mails, if one adopts the "tls-require" posture. Is there a mechanism in OpenSMTPD by which mails delivered in the clear can be identified/logged/reported/flagged? The idea is to extract a list of domains from these mails. These domains can then be contacted and encouraged to adopt STARTTLS. This domain list will be specific for every mail server. If a domain chooses to adopt STARTTLS, future mails from that domain will be delivered over TLS. If a domain chooses to not adopt STARTTLS, the mail server administrator can choose to either do nothing or take some action. This action could be to contact the end-users and educate them or to block mail from this particular domain in case the mails are of a sensitive nature. At some point in future, a significant majority of incoming mails for the mail server could be delivered over TLS. If this problem has already been/could be solved in a better way, I would request you to please share the mechanism. Thanks. Regards, ab [1] - https://transparencyreport.google.com/safer-email/overview ---------|---------|---------|---------|---------|---------|---------|-- -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
