Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos:
Postfix is a different kind of beast though. It does not typically
use
TLS, but uses some kind of opportunistic security that allows anonymous
ciphersuites. So it's a bit hard to enforce anything there, as
man-in-the-middle attacks are possible by design
and keep in mind in case of opportunistic TLS if you restrict
ciphers and the SMTP client don't support what you offer it
falls back to completly plaintext which defeats the intention
for secured and verified SMTP it needs special care
* DANE and DNSSEC which goes far above email only
* smtpd_tls_ask_ccert where admins of both sides must work
together and also coordinate cert changes
in short:
MTA's acting as public MX must not enforce default TLS policies
from the distribution shipping the package