On 1/5/19 6:44 PM, Viruthagiri Thirumavalavan wrote:
There are plenty of lightweight free daemons out there that can
securely
serve static content over TLS.
Alice, Thanks for the input.
I don't think "lightweight" is the problem here. If i'm desperate about
email security I'm gonna configure the web server even if it is not
lightweight. As you know, web server and mail server are two different
things. One should not depend on another in order to work.
Well since SMTP is point to point, if you depend upon encryption you
need S/MIME or PGP and always will.
Also I seem to recall talk of an e-mail header clients can add that tell
a MTA not to forward it without encryption.
What the HTTPS server in MTA-STS really does is give some limited
protection against DNS MX record spoofing for zones that do not have
DNSSEC and/or for MTA clients that do not validate DNSSEC.
SMTP itself still works without running a web server. The web server
really is just an easier way than DNSSEC for some admins to secure the
MX response, a 2FA on the MX response so to speak.
For example, I'm using my domain only for mailing purposes. If I have to
setup a HTTPS server to make my email secure, i'm probably ok with that.
But it's not easy for non-tech savvy user who depends on third party
mail services like Google Apps. Setting up web server, installing SSL
certificates are high level tasks for a non-tech savvy user.
Not really all that high level, and if they are too high level for the
user, there are inexpensive services that do it for you, including valid
certificate thanks to Let's Encrypt.
I agree it would be better if Google started signing their zones and
supported DANE for TLS.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
