Every once in a while I run into receiving MTAs (even some running
Postfix) whose administrator has chosen to require STARTTLS for inbound
mail on port 25, refusing all mail delivery attempts in the clear.
This makes it rather difficult to report problems to such a site when
at the same time the server fails to handle STARTTLS because of a
configuration problem (perhaps a bad certificate rollover?).
While I am unlikely to convince the more zealous among you, I'd like to
reiterate that transport security is the client's responsibility, and
servers should be liberal in their TLS policies on port 25.
https://www.postfix.org/TLS_README.html#client_tls_limits
If nobody is holding a gun to your head forcing you to refuse non-TLS
mail from remote senders, best to let some cleartext mail through, the
vast majority of your traffic would still be over TLS, just like it is
at Gmail (inbound is 100% TLS rounded to nearest whole percent):
https://www.google.com/transparencyreport/saferemail/
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
