Open dadosch opened 6 years ago
aeris
commented
6 years ago If your submission port is in TLS and not STARTTLS, you can use the raw TLS scanner above yes. If with STARTTLS, there is currently no way to check (because SMTP is the real SMTP, with MX DNS & cie), I can change that in the new version.
ArchangeGabriel
commented
6 years ago Oh, I missed the fact that STARTTLS was not supported. Is there any advantage in STARTTLS over TLS btw?
aeris
commented
6 years ago STARTTLS is the only supported way for SMTP (MX/port 25). STARTTLS must not be used for submission (port 587), because is opportunist and raw TLS is better in terms of security (foot shooting proof because no connection possible if not encrypted).
ArchangeGabriel
commented
6 years ago I see. So given this is the documentation of OpenSMTPd which I’m using:
Secured connections are provided either using STARTTLS (
tls), by default on port 25, or SMTPS (smtps), by default on port 465.tls-requiremay be used to force clients to establish a secure connection before being allowed to start an SMTP transaction.
should I be using smtps instead of tls-require? According to Wikipédia, SMTPS is deprecated: https://en.wikipedia.org/wiki/SMTPS.
aeris
commented
6 years ago SMTPS (465) is deprecated, but concern only MTA (server to server exchange). Submission (587) is MSA (user to server exchange) and allow explicit TLS instead of implicit STARTTLS.
ArchangeGabriel
commented
6 years ago OK. I suppose changing tls-require to smtps on port 587 should do it (after warning all users about the change). And this way I’ll be able to test in CryptCheck. ;)
https://tls.imirhil.fr/tls ?