5 thoughts on - Forcing TLS For SMTP?

• As you indicate you have opportunistic TLS now, go back through your mail logs and see which inbound and outbound connections aren’t using it. You will likely not be able to communicate with the corespondents involved on those connections if you require TLS on all connections.

  – Richard

• The obvious consideration is that if the other server does not offer tls, the connection will fail and you will not be able to communicate.

  Further RFC2487 states that enforcing tls must not be used on public facing mail servers.

  So if you want to enforce tls to ensure encryption on purely internal mail servers, that is fine but your external facing SMTP servers must not enforce tls.

  See the Postfix tls documentation for more information:

  http://www.postfix.org/TLS_README.html

• See bottom post below.

  s there a useful defense against STARTTLS being stripped from unencrypted communications?

  https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

  Our company sometimes does business in countries hostile to encryption and if there’s a means to enforce this appropriately, I’d like to implement it.

  Seems to me something like a DMARC DNS TXT flag would be appropriate for this. smtptls=none|any|required; ? But that’s just an idea.

• To what end? Just for your own information? If so you can get it from your logs.

  Or do you want to prevent communication from happening at all? In that case, you could still get it from your logs. IP address X strips the encryption, so now we’ll blacklist it. You could probably automate that analysis and blacklisting.

  Of course, then you won’t be able to communicate with that guy any more, which might not be a great idea if you’re trying to do business with him.

• Am 05.12.19 um 00:14 schrieb Lists:

  MTA-STS and DANE exist but their real world usage is quite low and you may run into problems if you want to enforce these solutions. You could give it a try but don’t expect too much.