On Tue, May 12, 2015 at 01:45:47AM +0100, Kevin Chadwick wrote: > On Mon, 11 May 2015 17:15:35 +0200 > Gilles Chehade wrote: > > > I can't honestly recall if we still do this without checking first, but > > there > > was some code in OpenSMTPD to always attempt SMTPS before attempting > > STARTTLS > > when trying to do opportunistic crypto. This means that for hosts that would > > setup both SMTPS and STARTTLS, we would always take SMTPS. > > > > In practice, I'm not even sure we still do this because our stats showed > > that > > we _never_ exchanged with a host over SMTPS, no hosts ever offers it. > > I wonder what is best more likely and easier to accomplish or gain > traction. > > SMTPS or DNSSEC > > DNSSEC causes problems but people seem to be wanting it enough to > implement it anyway, though many providers still including I believe > Google cloud dns do not. I am still in two minds about it. > > SMTPS would be best and doesn't create problems but is getting traction > mainly a matter of getting postfix, exim and opensmtpd to enable it "by > default"? > > How long would either take to become widespread? >
OpenSMTPD supports SMTPS and you can set it up as easily as TLS, however it is widely considered a deprecated protocol in favour of TLS so you're not going to see it widespread any time soon ... As for getting it to be enabled by default on OpenSMTPD: https://github.com/OpenSMTPD/OpenSMTPD/issues/558 With recent rework of pki/ca code inside smtpd, we can now consider this for real. We could generate the cert at first start like OpenSSH, then a default smtpd.conf with: pki "*" certificate "/etc/mail/opensmtpd.crt" pki "*" key "/etc/mail/opensmtpd.key" -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
