Re: [swinog] datacomm/vtxnet and quicknet/kfsb are missing TLS on their mailservers

2018-02-02 Diskussionsfäden Tobias Goeller 
Hi Tobi

Well, you actually *can* technically enforce TLS. I'm not saying that it would 
make any... but if you want to revive don quixote one more time... yes, you can.

I would be happy already if people would create working SPF records with 
enforcement for all domains  (and stop using outlook and thinking of exchange 
as a technologically sound mailserver)

Even big financial companies fail at creating SPF Records... and wonder why 
they have so many bounces.

I do have mandatory TLS for some domains... but not as a global requirement 
(although... in a perfect world...)

Tobias

--
E = M * C^2 +/- 3.2db

> On 2 Feb 2018, at 11:22 , Tobi  wrote:
> 
> You cannot force any other party to apply YOUR policy to THEIR systems.
> "Your server your rules, but my server my rules" :-)
> Furthermore mandatory tls can fail for a bunch of other reasons except
> from "not offering tls at all" ex no common cipher/tls version can be
> negotiated.
> I do mandatory tls on my servers too, but not globally. Just for
> selected rcpt-domains/next-hops
> 
> Cheers
> 
> tobi
> 
> Am 02.02.2018 um 09:36 schrieb Peter Keel:
>> Hi
>> 
>> I get these errors:
>> 
>> | TLS is required, but was not offered by host mx1.datacomm.ch[212.40.2.32]
>> 
>> and
>> 
>> | TLS is required, but was not offered by host relay.kfsb.ch[213.202.32.8]
>> 
>> Since I've made TLS for SMTP mandatory. The respective admins of these 
>> servers
>> might want finally at least enable voluntary TLS; some of their customers
>> apparently would like to receive mails from my server.
>> 
>> And by the way, RFC 2487 that is referred to for instance in the postfix 
>> manpage
>> and stated that one must not make TLS mandatory has been obsoleted by RFC 
>> 3207.
>> 
>> Cheers
>> Seegras
>> 
> 
> 
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog



signature.asc
Description: Message signed with OpenPGP

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] datacomm/vtxnet and quicknet/kfsb are missing TLS on their mailservers

2018-02-02 Diskussionsfäden Marc Balmer 
Some folks obviously have too much time, lol ...;)

Am 02.02.2018 um 15:58 schrieb Daniel Stirnimann :

>> Since you seem to like quotes, Jon Postel had one for you:
>> 
>> "Be liberal in what you accept, and conservative in what you send"
> 
> I thought this mindset is outdated:
> 
> https://tools.ietf.org/html/draft-thomson-postel-was-wrong-02
> 
> Daniel
> 
> 
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] datacomm/vtxnet and quicknet/kfsb are missing TLS on their mailservers

2018-02-02 Diskussionsfäden Daniel Stirnimann 
> Since you seem to like quotes, Jon Postel had one for you:
> 
> "Be liberal in what you accept, and conservative in what you send"

I thought this mindset is outdated:

https://tools.ietf.org/html/draft-thomson-postel-was-wrong-02

Daniel


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] datacomm/vtxnet and quicknet/kfsb are missing TLS on their mailservers

2018-02-02 Diskussionsfäden Massimiliano Stucchi 


On 02/02/2018 09:36, Peter Keel wrote:

> Since I've made TLS for SMTP mandatory. The respective admins of these servers
> might want finally at least enable voluntary TLS; some of their customers 
> apparently would like to receive mails from my server.

Since you seem to like quotes, Jon Postel had one for you:

"Be liberal in what you accept, and conservative in what you send"

Ciao!

-- 

Massimiliano Stucchi
MS16801-RIPE



signature.asc
Description: OpenPGP digital signature

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] datacomm/vtxnet and quicknet/kfsb are missing TLS on their mailservers

2018-02-02 Diskussionsfäden Tobi 
You cannot force any other party to apply YOUR policy to THEIR systems.
"Your server your rules, but my server my rules" :-)
Furthermore mandatory tls can fail for a bunch of other reasons except
from "not offering tls at all" ex no common cipher/tls version can be
negotiated.
I do mandatory tls on my servers too, but not globally. Just for
selected rcpt-domains/next-hops

Cheers

tobi

Am 02.02.2018 um 09:36 schrieb Peter Keel:
> Hi
> 
> I get these errors: 
> 
> | TLS is required, but was not offered by host mx1.datacomm.ch[212.40.2.32]
> 
> and 
> 
> | TLS is required, but was not offered by host relay.kfsb.ch[213.202.32.8]
> 
> Since I've made TLS for SMTP mandatory. The respective admins of these servers
> might want finally at least enable voluntary TLS; some of their customers 
> apparently would like to receive mails from my server.
> 
> And by the way, RFC 2487 that is referred to for instance in the postfix 
> manpage
> and stated that one must not make TLS mandatory has been obsoleted by RFC 
> 3207.
> 
> Cheers
> Seegras
> 


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] datacomm/vtxnet and quicknet/kfsb are missing TLS on their mailservers

2018-02-02 Diskussionsfäden Viktor Steinmann 

Mimimi? Seriously?

If you chose to configure TLS mandatory, you'll have to live with the 
fact, that some servers will not offer this service.


Don't try to force others to apply your policy, instead relax your own 
policy. You can still monitor your maillog for non-TLS connections and 
from time to time ask identified mail-admins politely to update their 
policy.


Cheers,

Viktor


On 02.02.2018 09:36, Peter Keel wrote:

Hi

I get these errors:

| TLS is required, but was not offered by host mx1.datacomm.ch[212.40.2.32]

and

| TLS is required, but was not offered by host relay.kfsb.ch[213.202.32.8]

Since I've made TLS for SMTP mandatory. The respective admins of these servers
might want finally at least enable voluntary TLS; some of their customers
apparently would like to receive mails from my server.

And by the way, RFC 2487 that is referred to for instance in the postfix manpage
and stated that one must not make TLS mandatory has been obsoleted by RFC 3207.

Cheers
Seegras




___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] datacomm/vtxnet and quicknet/kfsb are missing TLS on their mailservers

2018-02-02 Diskussionsfäden Peter Keel 
Hi

I get these errors: 

| TLS is required, but was not offered by host mx1.datacomm.ch[212.40.2.32]

and 

| TLS is required, but was not offered by host relay.kfsb.ch[213.202.32.8]

Since I've made TLS for SMTP mandatory. The respective admins of these servers
might want finally at least enable voluntary TLS; some of their customers 
apparently would like to receive mails from my server.

And by the way, RFC 2487 that is referred to for instance in the postfix manpage
and stated that one must not make TLS mandatory has been obsoleted by RFC 3207.

Cheers
Seegras
-- 
"Those who give up essential liberties for temporary safety deserve 
neither liberty nor safety." -- Benjamin Franklin
"It's also true that those who would give up privacy for security are 
likely to end up with neither." -- Bruce Schneier


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog