On Wed, Feb 24, 2016 at 12:08:36PM -0800, Peter Eckersley wrote: > We've currently reviving the STARTTLS Everywhere > (https://github.com/EFForg/starttls-everywhere) project at EFF. Some > of the features it currently has: > > * Know about a set of major email domains that are guaranteed to > support STARTTLS, and what mx domains they point to > * Know about the minimum TLS version that those domains are guaranteed > to support > * Preliminary integration with the letsencrypt python client, allowing > automated installation of a valid cert from Let's Encrypt
Please DO NOT do this. For most domains, email infrastructure is much less static than HTTPS, with domains switching to a different MX provider at the drop of a hat. Degrading SMTP reliability by unilaterally pinning volatile configurations on the sending side is not a good idea. > The code can currently transform all of the above into tweaks to a > postfix configuration. However we quickly ran into what seems to be a > bug while trying to pin TLS versions via a policy map file: > > https://github.com/EFForg/starttls-everywhere/issues/20 You have failed to read the documentation, there is no bug. -- Viktor.
