I've considered an opposite DANE, where a server can know whether to refuse an unencrypted connection. One could imagine an extension to spf for example saying that only encrypted connections from these ips are to be considered authed, or just abusing spf as for encryption required as well. Spf is certainly used today for listing ips for white listing and such, so it's not a stretch to use it for an SSL everywhere usage.
SMTP has been a lowest common denominator method of contact at all costs, but the minimum bar is rising especially in this post snowden world. Brandon On Jun 26, 2015 5:54 PM, "Michelle Sullivan" <miche...@sorbs.net> wrote: > Brandon Long wrote: > > > > > > On Fri, Jun 26, 2015 at 11:53 AM, Carl Byington <c...@five-ten-sg.com > > <mailto:c...@five-ten-sg.com>> wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Thu, 2015-06-25 at 13:25 -0700, Brandon Long wrote: > > > We haven't implemented it yet, though we expect to in the near > > future. > > > > Does this mean that google will then refuse to deliver mail to sites > > that: > > > > 1) advertise starttls in response to ehlo, and > > 2) have a 512 bit DH key? > > > > That seems to be implied by "we (google) stopped falling back to > > unencrypted connections..." > > > > > > Yes, that's what I meant. We already fail delivery if you advertise > > STARTTLS and we can't negotiate, either because you don't have a key > > installed or whatever, or if your SSL version isn't compatible with > > ours. Ie, we recently started advertising for a TLS1.2 connection on > > outbound, which means some broken ssl3/tls1 clients won't be able to > > work with us anymore because they didn't correctly handle a TLS1.2 ask > > (even though it should be protocol compatible at that level). I > > imagine at some point we'll give up on SSL3 as well (the percentage is > > already pretty tiny). > > And then you have those at the other end of the spectrum... > > Jun 26 19:27:36 battlestar postfix/smtp[67576]: 8ABEDE0437: > to=<platf...@linkdatacenter.net>, > relay=empmx.linkdatacenter.net[196.205.5.10]:25, delay=180723, > delays=180712/0.24/5.7/5.2, dsn=4.0.0, status=deferred (host > empmx.linkdatacenter.net[196.205.5.10] said: 451 5.7.3 Must issue a > STARTTLS command first (in reply to MAIL FROM command)) > > (I haven't configured any sort of encryption in this server at all - I > don't think it's even linked to an SSL library) > > ... You know I'm going to get someone swearing/blogging/reporting at me > for 'not answering their support issue' > > :/ > > Please tell me that any sane mail server will "ok you want un-encrypted, > no problem..." and "ok you want encrypted, ok well you have to be to > this standard, and no if you want to drop back, sorry you have to > restart the connection..." (def 'sane': anyone one might want to > exchange data with) > > -- > Michelle Sullivan > http://www.mhix.org/ > >
_______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
