[CentOS] Forcing TLS for SMTP?

Lists

lists at benjamindsmith.com
Wed Dec 4 23:14:32 UTC 2019


See bottom post below.

On Wednesday, December 4, 2019 2:24:51 PM PST Phil Perry wrote:
> On 04/12/2019 22:03, Lists wrote:
> > I have a goal of securing email. Updated the company mail server and DNS
> > (CentOS 7 + Postfix, otherwise pretty stock) with support for SPF, DKIM,
> > and DMARC. So far, all good, and everything "just works".
> > 
> > Our mail server has supported SMTP / TLS for a long time, but recently
> > I've
> > been considering requring TLS all the time.
> > 
> > Is there anybody here who's done this? Has it caused any particular
> > fallout? I'm curious about:
> > 
> > 1) Requiring SMTP / TLS for any inbound email.
> > 
> > 2) Requiring SMTP / TLS for any outbound email.
> > 
> > Thanks
> 
> The obvious consideration is that if the other server does not offer
> tls, the connection will fail and you will not be able to communicate.
> 
> Further RFC2487 states that enforcing tls must not be used on public
> facing mail servers.
> 
> So if you want to enforce tls to ensure encryption on purely internal
> mail servers, that is fine but your external facing smtp servers must
> not enforce tls.
> 
> See the Postfix tls documentation for more information:
> 
> http://www.postfix.org/TLS_README.html

s there a useful defense against STARTTLS being stripped from unencrypted 
communications? 

https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

Our company sometimes does business in countries hostile to encryption and if 
there's a means to enforce this appropriately, I'd like to implement it. 

Seems to me something like a DMARC DNS TXT flag would be appropriate for this. 
smtptls=none|any|required; ? But that's just an idea. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20191204/3fa4a114/attachment-0002.sig>


More information about the CentOS mailing list