Author: Bill Cole Date: To: Kirill Miazine via Exim-users Subject: Re: [exim] Something like "domains_require_tls"
On 2023-03-29 at 04:46:17 UTC-0400 (Wed, 29 Mar 2023 10:46:17 +0200)
Kirill Miazine via Exim-users <km@???>
is rumored to have said:
> Exactly. The former preventing passive data collection, the later --
> active. Still, if *I* were to state a legal requirement that certain
> domains use TLS, I'd also ask for verification either via TLS or
> DANE, because just TLS is a very small win.
No, it's a huge win. All you get from demanding certificate verification
is "protection" from sending mail as securely as possible to systems
that are trivially misconfigured in ways that have been deemed tolerable
for the whole history of encrypted mail transport.
Passive collection attacks are much easier and hence much less targeted
than active collection, so requiring TLS without requiring certificate
name validation moves your mail transport traffic from collectable by
accidental big-net collection to requiring an attacker to know that they
want YOUR traffic.
You also need to understand that requiring verification as a
prerequisite for encryption has unintended consequences. If you only
allow encryption with verification, you will either break deliverability
entirely for some mail OR fall back to transport in the clear, *to the
same unverifiable host* which cannot be anything but less safe.
--
Bill Cole
bill@??? or billcole@???
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
