On Fri, Aug 16, 2019 at 04:53:23PM +1000, Viktor Dukhovni wrote:
> Bottom line, only trust local resolvers you deploy, configure
> *correctly* and test.
Well, it doesn't _have_ to be local. You could, for instance, be
connected to a resolver that you know you can trust (FSVO "know" and
"trust")
> On Aug 16, 2019, at 1:29 AM, Viktor Dukhovni
> wrote:
>
> enable DANE outbound:
>
> http://www.postfix.org/TLS_README.html#client_tls_dane
>
> main.cf:
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane
>
> /etc/resolv.conf
> # A validating *local*
These info are really helpful. thanks.
On 2019/8/15 星期四 下午 11:29, Viktor Dukhovni wrote:
On Thu, Aug 15, 2019 at 02:52:12PM +0800, Eliza wrote:
My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled.
Don't confuse port 25 used for (MTA-to-MTA) SMTP (inter-domain email
relay),
On Thu, Aug 15, 2019 at 02:52:12PM +0800, Eliza wrote:
> My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled.
Don't confuse port 25 used for (MTA-to-MTA) SMTP (inter-domain email
relay), with ports 587 and 465 used in the MUA-to-MTA *SUBMIT*
protocol, which is very similar to
MTA-STS is not the only technique, DANE (rfc7672) can be used, too (and in
fact it is by many big german providers at least).
See this slides for an introduction: https://www.netnod.se/sites/default/files/
2016-12/Anders_Berggren_can_haz_secure_mail.pdf
Or this wikipedia page:
Hi,
on 2019/8/15 15:44, a wrote:
Maximum that you can do - enable STARTTLS and configure MTA-STS (rfc8461).
Is there a guide for that?
thanks.
You can't enforce remote peer to use SSL unless that peer is under your
control.
Maximum that you can do - enable STARTTLS and configure MTA-STS (rfc8461).
чт, 15 авг. 2019 г., 9:53 Eliza :
> Hello,
>
> My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled.
>
> How to enforce the
Hello,
My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled.
How to enforce the peer MTA send messages only to 465 port for better
secure communication?
Can I just shutdown port 25?
Thanks.