On 10/12/13 18:06, Kim Holburn wrote: > Mostly emails end up going between your server and your recipient's > server in the clear, although that may start to change.
This is called Opportunistic TLS. It's already used by default in recent versions of Exim and in Microsoft Exchange 2007 and onwards. It's also easily enabled in Postfix with just a few lines added to /etc/postfix/main.cf: smtpd_tls_cert_file=/path/to/cert.pem smtpd_tls_key_file=/path/to/priv.key smtpd_use_tls=yes smtp_tls_security_level = may # offer STARTTLS in EHLO smtp_tls_note_starttls_offer = yes # extra logging Yes, Opportunistic TLS is still vulnerable to man-in-the-middle attacks (e.g. Iran), but then again so is plain text. Rather, Opportunistic TLS thwarts passive sniffing (e.g. NSA). Policy maps may be used on a per-domain basis to enforce certificate verification (either against a known fingerprint, or against certificate authorities) to thwart man-in-the-middle attacks. _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
