On Sun, Sep 08, 2024 at 01:36:39AM +0200, hostmaster--- via Postfix-users wrote:
>> >> smtp inet n - - - - smtpd >> -o smtpd_tls_security_level=encrypt >I thought you were using postscreen? The postscreen post came from the LinuxMail.cc guy "hijacking" my thread.... >> 127.0.0.1:10025 inet n - - - - smtpd >> .... >> -o smtpd_tls_security_level=may >Not much point in "may" here, "none" makes more sense. Although another >approach is to in fact set: > > main.cf: > smtpd_tls_security_level=encrypt Yes, also was my thought, it's the left over from trying what is working and as it doesn't harm since it also allows for non-secured connections, I just kept may. > And of course, I'd negligent > to not mention that I don't recommend a hard requirement of TLS on port > 25, you may one day reject some important mail and not even know it, > and if STARTTLS stops working, you may be rejecting all mail until it > is fixed. I'm aware of the risk and thought about this before i decided to try to enforce encryption. I checked the logs and it looks like all (for me) important smtp servers are able to deal with encrypted connections. However, I'm aware this might not be the case all the time and in the future. However, if a sender can't send an email, he remains in duty, if he has to deliver important information, as Email is known to be an unreliable communication by design (in reality it's very reliable from a technical point of view, but there are no mechanisms granting a message will be delivered, nor mechanism granting a sender gets informed when an email does not reach the recipient, so it's a best effort communication which might not be suitable for important information). I decided to take it as a trade-off, as I'm a bit tiered of accepting the world still is sending unencrypted emails over unencrypted connections where we technically have everything we need to implement better security and privacy in mail systems for ages now (my cat's door lock has better security and privacy....). This is more annoying since other ppl decide to send me sensitive information over unsecured connections even without asking me. They call it "digitalization", I call it a complete failure of respecting one's informational self-determination. So my naive approach is, if there were more ppl just not accepting unsecured email transmissions, we might move a step towards better privacy. Just a little one. I'll give it a try and keep an eye on non-successful connection attempts. If it's working, fine, if not I always have the option to fall back to STARTTLS. Sorry for my 2 minutes the world is bad Sunday rant :-) _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
