How feasible (or infeasible) is it today to configure manditory TLS encryption on a public facing server? Are there any stats on the percentage of mail servers that don't support TLS and the percentage of known large volume mail servers that don't support TLS (I suspect zero on the latter)?
btw- it would be nice if there was a version of smtp_tls_security_level=dane with a fallback of secure or encrypt. I also notice there is no smtpd_tls_security_level= dane or dane-only. This could also be handled in smtpd_tls_req_ccert = dane or dane-only. It would also be good if the fallback from dane was setable. Perhaps a smtp_tls_security_dane_fallback=* and smtpd_tls_security_dane_fallback=* would solve this so that a value higher that "may" can be the fallback. btw- postfix docs cite rfc2487 dates back to 1999. A lot has changed. rfc2487 is obsoleted by rfc3207 but the must not ... starttls is still there. So my question is about disregarding the must not regarding STARTTLS. Any stats on how much would break if client and/or server certs were required and with either DANE or CA signed in the next hop? Also any stats on implementation of REQUIRETLS? Curtis _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
