[AusNOG] Issues receiving from TPG Mail servers.

Mal malz at jetlan.com
Tue Jul 24 11:24:28 EST 2018

On 24/07/2018 6:54 AM, Mark Foster wrote:

>> Un-authenticated mail, however, doesn't require credentials in order to
>> accept mail, however, unless that server is relay, it also won't pass that
>> mail on. It would only accept mail from a server if the mailbox was
>> actually on it. So when a sending MTA sends mail to us, our server will
>> accept it if the email account is on that server.
>> This *doesn't* require authentication and thus no username or password are
>> supplied. As such encryption isn't required because there are no details
>> to
>> steal, unless as someone pointed out, you're silly enough to send credit
>> card details via email.
> ... and if you are sending or receiving email from the world-at-large
> (thus, unauthenticated, as you put it) then you can't mandate encryption,
> true.

This is simply incorrect.  You can mandate encryption for transport
layer security with DANE.  This migrates opportunistic TLS into
mandatory, as required.

No usernames are required !  :)

Postfix (MTA) supports DANE and tls_policy maps can be configured to
ensure 'partner' domains are communicated via secure channel only.
Should the remote partner not have suitable TLSA records, the connection
will soft-fail until the remote end is corrected.  This guarantees that
an encrypted connection will be used, provided the remote party offers
StartTLS / DNSSEC / publishes TLSA records.

For other domains not associated with the PCI connection domain (the
remote partner you want to ensure encryption with), opportunistic TLS
applies, if supported by the remote end, per any normal email transmission.


More information about the AusNOG mailing list