On 2020-08-27 at 12:25 +1200, Mark Foster via mailop wrote: > I think the option of forcing TLS within a closed community is fine. > I think the option of forcing TLS on the wide-wide-internet is a > minefield for anyone who needs to communicate outside of a relatively > closed network...
while on this topic, it would be nice if mailop mailing list started using starttls when delivering the list emails. Other offenders include nanog, ca/browser forum, moderncrypto.org, several gpg mailing lists... ☹ And STARTTLS *sending* is much easier than receiving, where you at least need a dumb certificate. Let's not start discussion on requiring CA-signed certificates, TLS ≥ 1.2 or MTA-STS. Interestingly, some of those servers, while not using starttls themselves, do support it for receiving (apparently being handled by the same host). So just a matter of (mis)configuration (?) Maybe it's time to add a milter which automatically prepends to every message not sent with starttls: «WARNING: This message was NOT transmitted securely given the lack of support of example.com mail server. It may have been seen, copied and modified in-transit in an undetectable way.» Cheers _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop