In message <[email protected]> Viktor Dukhovni via Postfix-users writes: > On Tue, Mar 31, 2026 at 08:12:09AM -0400, Curtis Villamizar via Postfix-users > wrote: > > > How feasible (or infeasible) is it today to configure manditory TLS > > encryption on a public facing server? Are there any stats on the > > percentage of mail servers that don't support TLS and the percentage > > of known large volume mail servers that don't support TLS (I suspect > > zero on the latter)? > > Every receiving system is different, because each has a different set of > recipients, not all of whom are *typical*. Any statistics observed by > others may not be sufficiently representative for all your users.
Good point. I should probably not ask if anyone else has stats but rather look at my own mail logs over a long time period. Thanks. > With that necessary disclaimer out of the way, the best stats I'm aware > of are from Gmail: > > https://transparencyreport.google.com/safer-email/overview?hl=en So fluctuating at 100% or just below. > See in particular some of the extensions in the two tables at the bottom > of the page. Not sure what you are referring to. > > btw- it would be nice if there was a version of > > smtp_tls_security_level=dane with a fallback of secure or encrypt. > > Perhaps we'll get that done for the the 3.12 release (~Q1 2027). I'll check my stats first. DANE fallback to secure, which I think means CA signed would be great if possible to do so. Even DANE fallback to encrypt would be an improvement. > > I also notice there is no smtpd_tls_security_level= dane or dane-only. > > This could also be handled in smtpd_tls_req_ccert = dane or dane-only. > > I'd need to find cycles to the review the IETF DANCE working group final > documents, and see whether there's enough there to assemble client DANE > for SMTP. Again I should check my own stats. Thanks. > > Any stats on how much would break if client and/or server certs were > > required and with either DANE or CA signed in the next hop? > > Some sites would run into material breakage, whether your site is among > them is unknown. I think it would eliminate a lot of spam and provide more secure mail delivery and it might be worth occasional breakage for very badly set up senders. > > Also any stats on implementation of REQUIRETLS? > > That's basically not implemented by anyone yet. Support for this in > Postfix 3.11.0 is hot off the presses, and I've not heard about similar > support in any other MTAs. I might turn it on for the logging. Thanks. btw- I have had DKIM for outbound for a long time and just added DMARC (very behind the times). Certs use a self signed local CA so DANE is essential. Inbound I recently added a spam filter using perl Sendmail::PMilter that uses prior inbound spam and ham in creating custom header checks based on about 100k past history of which about 12% was spam that used to get through but now its zero. Extremely small volume of mail on a handful of barely used email domains. Curtis _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
