On Tue, Mar 31, 2026 at 08:12:09AM -0400, Curtis Villamizar via Postfix-users
wrote:
> How feasible (or infeasible) is it today to configure manditory TLS
> encryption on a public facing server? Are there any stats on the
> percentage of mail servers that don't support TLS and the percentage
> of known large volume mail servers that don't support TLS (I suspect
> zero on the latter)?
Every receiving system is different, because each has a different set of
recipients, not all of whom are *typical*. Any statistics observed by
others may not be sufficiently representative for all your users.
With that necessary disclaimer out of the way, the best stats I'm aware
of are from Gmail:
https://transparencyreport.google.com/safer-email/overview?hl=en
See in particular some of the extensions in the two tables at the bottom
of the page.
> btw- it would be nice if there was a version of
> smtp_tls_security_level=dane with a fallback of secure or encrypt.
Perhaps we'll get that done for the the 3.12 release (~Q1 2027).
> I also notice there is no smtpd_tls_security_level= dane or dane-only.
> This could also be handled in smtpd_tls_req_ccert = dane or dane-only.
I'd need to find cycles to the review the IETF DANCE working group final
documents, and see whether there's enough there to assemble client DANE
for SMTP.
> Any stats on how much would break if client and/or server certs were
> required and with either DANE or CA signed in the next hop?
Some sites would run into material breakage, whether your site is among
them is unknown.
> Also any stats on implementation of REQUIRETLS?
That's basically not implemented by anyone yet. Support for this in
Postfix 3.11.0 is hot off the presses, and I've not heard about similar
support in any other MTAs.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
