On 10/11/2010 10:10 AM, Jeremy Charles wrote:
At one point, the default posture of most SMTP implementations was to allow open relaying unless the admin specifically configured it to be blocked.Currently, the default posture of most SMTP implementations is to allow non-TLS connections unless the admin specifically configures them to be blocked.
Just to be clear, no one is talking about SMTP submissions, right? It's standard for end-user authenticated submitted email to always use TLS.
My feeling is that this default posture will also change at some point in the future so that non-TLS SMTP connections are blocked unless specifically configured to be allowed. At least, I'm hoping for that, given that I work for a company that interacts with healthcare organizations a lot.
What motivation are you planning to harness?Ending open-relaying was necessary for the spam issue. Ending non-TLS won't help with the spam issue.
Ending non-TLS would be good for encrypting sensitive content in transit server-to-server. But lay-people don't consider this a problem, or they don't even know that this traffic isn't already always encrypted.
You could use the HIPAA argument, but that would be countered with the argument that email shouldn't be used for HIPAA data in the first place.
The big question in my (biased) mind is... when will that happen and what could be done to help hurry it along?
For the sake of brainstorming, you could to maintain a history of IPs that have used TLS in the past, and then attempt to enforce all future connections from those servers to use TLS.
Jesse
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Tech mailing list [email protected] http://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
