Op 02-04-2026 om 15:24 schreef Wietse Venema via Postfix-users:
Paul van der Vlis via Postfix-users:
Hello,
Mogge.
Ook goedemorgen!
Here in the Netherlands, we have several providers that claim email only
runs via encrypted connections. Like https://soverin.com/ .
Connections to and from other mail servers that do not accept secure
encryption, are rejected.
https://soverin.com/product/technical-specs lists among others:
* worldwide 100% correct SMTP, DANE, TLSA
* Fully compliant (and more) with all email protocols and standards
like GDPR, AVG, SPF, DANE, TLSA, TLS, BIMI, SRS, SSL, DNSSEC
[there is more, such as 'no queuing', but no mention of MTA-STS]
I think they don't need MTA-STS, because they refuse to communicate with
mailservers who do not do secure encryption.
From the FAQ:
Do you use encrypted connections?
Yes. We ALWAYS use encrypted connections. We never send emails over
unencrypted connections (between you and us, and not between us and mail
servers of people you email, especially this last part is important!)
Here in the Netherlands is a serious government-sponsored website that
can test how good and secure your e-mail is. This also does not test
MTA-STS, I've asked them why but I am waiting for an answer.
Postfix.org gets only 90% OK:
https://en.internet.nl/mail/postfix.org/1811792/#
Soverin gets 100% (and my new mail-setup does also get 100%).
On the client side, this may be a candidate for Postfix 3.11:
smtp_requiretls_policy =
inline:{{nl = enforce}}, opportunistic
They do it world-wide, and this is not really new for so far I know. The
internet provider "freedom.nl" also uses their mail-setup. Freedom
Internet is a bit what XS4ALL was earlier, maybe you know it.
Your Postfix SMTP server cannot force a client to securely authenticate
the server's TLS certificate.
But on the server-side, you can do everything what's possible.
I would like that myself, but I wonder what happens if a connection
cannot be established. I would like such a message to be returned to the
sender immediately, rather than getting stuck in the queue.
With the 'enforce' above, the Postfix SMTP client will try multiple
MX hosts before it returns the message as undeliverable because no
MX host supports "strongly authenticated TLS".
And what about:
smtp_requiretls_policy = enforce
Do you know about mailservers what will not work?
Your Postfix SMTP server cannot force a client to immediately return
a message to the sender.
That's right ;-)
Bye,
Paul
--
Paul van der Vlis Linux systeembeheer Groningen
https://vandervlis.nl/
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
