Re: Has rfc2487 been obsoleted and mandatory TLS in smtpd is now kosher?

[Viktor Dukhovni]

> On 29 Jul 2021, at 8:17 am, raf <post...@raf.org> wrote:
> 
> The Rhenus email did say:
> 
>  "...must be sent with the TLS 1.2 protocol or higher.
>  Any mail received without fulfilling this condition
>  will be rejected by our server."
> 
> That second sentence sounds to me like a definite
> statement that an SMTP connection that doesn't initiate
> STARTTLS will not be able to send email. At least, I
> can't see how else to interpret those words.

The simplest thing they could do is just disable TLS 1.0.
This would also comply with some brain in neutral audit.

My money is on brain in neutral, as opposed to a carefully
considered risk assessment in which they've concluded that
they only receive legitimate email from TLS-1.2-capable
senders.  I may be wrong in this case, but my "b[ae]tting
average" would generally be quite high in general.

So expect a poorly thought out simple TLS policy, rather
than a carefully considered comprehensive policy.

-- 
        Viktor.