Re: Require TLS on internet-facing servers?
On Fri, Jul 07, 2017 at 10:40:47AM -0700, robg...@nospammail.net wrote: > I am starting to setup a Postfix server for our office. > > I'm looking at TLS policy. > > Reading old posts on the Postfix mailing lists there's lots of > comments that REQUIRING tls should never be done on an public > internet-facing server. > > But those comments are from 5-7 yrs ago. > > Is that still the case? > > On a friend's server we just checked 3 months of logs. IIUC > there's been no non-TLS connections at all in that time: I use a warn_if_reject reject_plaintext_session restriction at end-of-DATA, so I have some numbers which might not be relevant to anyone else, but there are two main classes of plaintext mail arriving at my site: 1. Legitimate (solicited & confirmed) marketing mail 2. Free software project mailing lists (not this one) Your numbers (and classes) would vary if you tinker with TLS settings such that you won't accept "weak" ciphers. (Is a weak cipher weaker than plaintext?) My cipher settings are all Postfix defaults. > Second, if there are actually no non-encrypted connections, is > it time finally to simply require it? I won't. It's not like TLS in SMTP is going to make a huge difference for privacy. I suppose big mail services like gmail are scanning mail content for their own use, and quite likely are allowing national governments to do the same. TLS addresses a single, relatively minor security concern, of protection of data in transit. Yes, that is a good thing, but remember: you're also trusting the administrators of the other endpoint. If you really want to be a privacy advocate, start using GnuPG for end-to-end email encryption. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: Require TLS on internet-facing servers?
On Fri, Jul 07, 2017 at 03:04:11PM -0700, li...@lazygranch.com wrote: > Would there be some way to redirect unencrypted email to some other server. > Gmail for instance. I would then force encryption on my personal server. SMTP does not have "redirects". SMTP security policy is up to the client: http://www.postfix.org/TLS_README.html#client_tls_limits Just enable STARTTLS on the server, and let the clients do the rest. There's little to be gained on enforcing TLS on inbound SMTP servers (``MX hosts''). By all means enforce TLS for submission, and enable opportunistic TLS or opportunistic DANE TLS on your outbound SMTP transport. Rumour has it that the US army is finally aiming to deploy STARTTLS circa July 2018: https://motherboard.vice.com/en_us/article/bjxjxv/the-pentagon-says-it-will-start-encrypting-soldiers-emails-next-year The fraction of mail using TLS reported by Gmail has grown considerably over the last few years, and is now hovering around 90% by volume. Of course much of their traffic is to other large consumer email providers that also support STARTTLS, and not to mailing lists or other "niche" destinations that might not bother. https://www.google.com/transparencyreport/saferemail/ -- Viktor.
Re: Require TLS on internet-facing servers?
Would there be some way to redirect unencrypted email to some other server. Gmail for instance. I would then force encryption on my personal server. I'm down to one contact (as in a person I know) that isn't using encryption. I made two converts! I haven't checked mailing lists for encryption. Original Message From: Wietse Venema Sent: Friday, July 7, 2017 11:32 AM To: Postfix users Reply To: Postfix users Subject: Re: Require TLS on internet-facing servers? Correction: my numbers were off because I used case-insensitive search. robg...@nospammail.net: > Hello, > > I am starting to setup a Postfix server for our office. > > I'm looking at TLS policy. > > Reading old posts on the Postfix mailing lists there's lots of > comments that REQUIRING tls should never be done on an public > internet-facing server. > > But those comments are from 5-7 yrs ago. > > Is that still the case? Your server, your rules... > On a friend's server we just checked 3 months of logs. IIUC there's > been no non-TLS connections at all in that time: > > grep -i "connection established" postfix*.log | wc -l > 125217 > > grep -i "connection established" postfix*.log | grep -v TLS | wc > -l > 0 > > First, is that a legitimate way to check? No, because "connection established" is logged only for TLS connections. You'd also have to count the lines with "connect from" which covers both TLS and non-TLS. On my tiny server, only 43% of all inbound connections in June 2017 used TLS (a negligible portion of the "connection established" lines were from tlsproxy). And that is only for the 4.9% of connections that weren't blocked by postscreen (25% of all unique clients). If I were to block non-TLS email, I would miss a lot of email. Wietse
Re: Require TLS on internet-facing servers?
Correction: my numbers were off because I used case-insensitive search. robg...@nospammail.net: > Hello, > > I am starting to setup a Postfix server for our office. > > I'm looking at TLS policy. > > Reading old posts on the Postfix mailing lists there's lots of > comments that REQUIRING tls should never be done on an public > internet-facing server. > > But those comments are from 5-7 yrs ago. > > Is that still the case? Your server, your rules... > On a friend's server we just checked 3 months of logs. IIUC there's > been no non-TLS connections at all in that time: > > grep -i "connection established" postfix*.log | wc -l > 125217 > > grep -i "connection established" postfix*.log | grep -v TLS | wc > -l > 0 > > First, is that a legitimate way to check? No, because "connection established" is logged only for TLS connections. You'd also have to count the lines with "connect from" which covers both TLS and non-TLS. On my tiny server, only 43% of all inbound connections in June 2017 used TLS (a negligible portion of the "connection established" lines were from tlsproxy). And that is only for the 4.9% of connections that weren't blocked by postscreen (25% of all unique clients). If I were to block non-TLS email, I would miss a lot of email. Wietse
Require TLS on internet-facing servers?
Hello, I am starting to setup a Postfix server for our office. I'm looking at TLS policy. Reading old posts on the Postfix mailing lists there's lots of comments that REQUIRING tls should never be done on an public internet-facing server. But those comments are from 5-7 yrs ago. Is that still the case? On a friend's server we just checked 3 months of logs. IIUC there's been no non-TLS connections at all in that time: grep -i "connection established" postfix*.log | wc -l 125217 grep -i "connection established" postfix*.log | grep -v TLS | wc -l 0 And that's with what I understand to be a 'may' policy. First, is that a legitimate way to check? Second, if there are actually no non-encrypted connections, is it time finally to simply require it? Rob
