Score:0

Postfix with only STARTTLS or TLS

us flag

I have set up my Postfix to require STARTTLS, or SSL/TLS, as well as the user being authenticated if sending to other domains, or the recipient being known to my host if receiving mail.

I can connect without initial encryption like this:

telnet myserver.com 587
elho there
mail from: [email protected]

The server responds with 530 5.7.0 Must issue a STARTTLS command first

I noticed that smtp.gmail.com has the same requirement to use TLS.

I think this is good and what I want. But how many clients/servers who will try to send mail to my domain will fail, because they can't do SSL/TLS? My certificate is signed by letsencrypt, so that shouldn't be a problem.

Asked another way, is it safe to assume that in 2022 all mail senders can do SSL/TLS?

If not, what do I have to change in my postfix configs to allow third parties to deliver mail to my server without TLS (for mails in my domains), but still require my users who want to send mail via my server to login and use STARTTLS or SSL/TLS?

A second question: I noticed that if I send the following, I get the same error, but have I just sent my password to the server effectively unencrypted across the internet, meaning I should change my password (note the connection is done with telnet, not openssl!)

telnet myserver.com 587
ehlo there
AUTH PLAIN GFudEBtYaXhdhbnQuY2...doh!
Ginnungagap avatar
gu flag
Posting as a comment because I don't have published statistics to back what I'm saying : I have a requirement on using STARTTLS when my mailer sends mail to other mailers, you'd be surprised how often I have to disable it for mail to actually be delivered. The most surprising one I got was a pretentious security company that uses a self-signed certificate without DANE... Your assumption that mailers use TLS on 2022 is kinda like assuming that people use IPv6 in 2022, full of hope but depressingly wrong.
us flag
haha. yeah, that's my fear.
Score:2
ru flag

Asked another way, is it safe to assume that in 2022 all mail senders can do SSL/TLS?

No, it is not. Today (March 3rd, 2022) Google delivered only 85% of its outbound mail using encryption:

Graph labeled "Outbound email encryption: 85%"

Likewise, today only 89% of inbound email was encrypted:

Graph labeled "Inbound email encryption: 89%"

If not, what do I have to change in my postfix configs to allow third parties to deliver mail to my server without TLS (for mails in my domains), but still require my users who want to send mail via my server to login and use STARTTLS or SSL/TLS?

# postconf smtpd_tls_security_level=may
# postconf smtpd_tls_auth_only=yes

Docs on smtpd_tls_security_level, smtpd_tls_auth_only.

If you want to also allow outbound emails to be delivered without encryption, you should read about smtp_tls_security_level.

Note that you can pin a list of known-good domains to always use encryption using smtp_tls_policy_maps, and you may want to consider implementing MTA-STS as well as a more scalable alternative. Here's some software that works with Postfix, though I haven't used it myself. Note that the Postfix page talks a little bit about DNSSEC and DANE, but DNSSEC won't save us, and the Chromium team agrees.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.