[AusNOG] Issues receiving from TPG Mail servers.
Mark Foster
blakjak at blakjak.net
Tue Jul 24 12:22:22 EST 2018
>
>
> On 24/07/2018 6:54 AM, Mark Foster wrote:
>
>>> Un-authenticated mail, however, doesn't require credentials in order to
>>> accept mail, however, unless that server is relay, it also won't pass
>>> that
>>> mail on. It would only accept mail from a server if the mailbox was
>>> actually on it. So when a sending MTA sends mail to us, our server will
>>> accept it if the email account is on that server.
>>> This *doesn't* require authentication and thus no username or password
>>> are
>>> supplied. As such encryption isn't required because there are no
>>> details
>>> to
>>> steal, unless as someone pointed out, you're silly enough to send
>>> credit
>>> card details via email.
>>
>> ... and if you are sending or receiving email from the world-at-large
>> (thus, unauthenticated, as you put it) then you can't mandate
>> encryption,
>> true.
>
> This is simply incorrect. You can mandate encryption for transport
> layer security with DANE. This migrates opportunistic TLS into
> mandatory, as required.
>
> No usernames are required ! :)
>
> Postfix (MTA) supports DANE and tls_policy maps can be configured to
> ensure 'partner' domains are communicated via secure channel only.
> Should the remote partner not have suitable TLSA records, the connection
> will soft-fail until the remote end is corrected. This guarantees that
> an encrypted connection will be used, provided the remote party offers
> StartTLS / DNSSEC / publishes TLSA records.
>
> For other domains not associated with the PCI connection domain (the
> remote partner you want to ensure encryption with), opportunistic TLS
> applies, if supported by the remote end, per any normal email
> transmission.
>
>
Just for clarity, I wasn't meaning to suggest that it wasn't technically
possible to 'mandate' the use of encryption for email transport. Just
that it's not something you can force others into doing. It's either your
own platform, or you establish a commercial agreement which is mutually
agreed and both parties have some level of incentive to fix it.
Or, you simply accept you won't be moving email between your servers, if
you choose to implement something like the above in order to achieve some
sort of box-ticking compliance-with-a-standard certification.
It'd be lovely to see TPG join us in the current decade, but i'm not
holding my breath. I'm still prepared to be surprised, however :-)
Mark.
More information about the AusNOG
mailing list