Would there be some way to redirect unencrypted email to some other server. Gmail for instance. I would then force encryption on my personal server.
I'm down to one contact (as in a person I know) that isn't using encryption. I made two converts! I haven't checked mailing lists for encryption. Original Message From: Wietse Venema Sent: Friday, July 7, 2017 11:32 AM To: Postfix users Reply To: Postfix users Subject: Re: Require TLS on internet-facing servers? Correction: my numbers were off because I used case-insensitive search. robg...@nospammail.net: > Hello, > > I am starting to setup a Postfix server for our office. > > I'm looking at TLS policy. > > Reading old posts on the Postfix mailing lists there's lots of > comments that REQUIRING tls should never be done on an public > internet-facing server. > > But those comments are from 5-7 yrs ago. > > Is that still the case? Your server, your rules... > On a friend's server we just checked 3 months of logs. IIUC there's > been no non-TLS connections at all in that time: > > grep -i "connection established" postfix*.log | wc -l > 125217 > > grep -i "connection established" postfix*.log | grep -v TLS | wc > -l > 0 > > First, is that a legitimate way to check? No, because "connection established" is logged only for TLS connections. You'd also have to count the lines with "connect from" which covers both TLS and non-TLS. On my tiny server, only 43% of all inbound connections in June 2017 used TLS (a negligible portion of the "connection established" lines were from tlsproxy). And that is only for the 4.9% of connections that weren't blocked by postscreen (25% of all unique clients). If I were to block non-TLS email, I would miss a lot of email. Wietse
