In message <20160409210245.gs26...@mournblade.imrryr.org> Viktor Dukhovni writes: > > On Sat, Apr 09, 2016 at 08:46:54AM -0700, jaso...@mail-central.com wrote: > > > I'm setting up mandatory TLS policy for a couple of private client > > servers, using > > > > - smtpd_tls_security_level = may > > + smtpd_tls_security_level = encrypt > > > > I started wondering whether it wouldn't be a bad thing to require > > ALL email delivered to my server, from anywhere, to use TLS. > > Your server, your rules, but be prepared to refuse a lot of legitimate > email.
A review of maillogs would tell you how much would get tossed. I've been doing some work with automated parse of logs. If I look at that (including TLS mail rejected by postscreen vs in-the-clear mail rejected by postscreen) I'll let you know. > https://www.google.com/transparencyreport/saferemail/ > https://www.ietf.org/proceedings/95/slides/slides-95-irtfopen-1.pdf > > https://www.elie.net/publication/neither-snow-nor-rain-nor-mitm-an-empirical-analysis-of-email-delivery-security > > -- > Viktor. Thanks for the links. I emailed one of the authors asking why so little was said about DNSSEC and nothing at all about DANE. Curtis
