Open dadosch opened 6 years ago
If your submission port is in TLS and not STARTTLS, you can use the raw TLS scanner above yes. If with STARTTLS, there is currently no way to check (because SMTP is the real SMTP, with MX DNS & cie), I can change that in the new version.
Oh, I missed the fact that STARTTLS was not supported. Is there any advantage in STARTTLS over TLS btw?
STARTTLS is the only supported way for SMTP (MX/port 25). STARTTLS must not be used for submission (port 587), because is opportunist and raw TLS is better in terms of security (foot shooting proof because no connection possible if not encrypted).
I see. So given this is the documentation of OpenSMTPd which I’m using:
Secured connections are provided either using STARTTLS (
tls
), by default on port 25, or SMTPS (smtps
), by default on port 465.tls-require
may be used to force clients to establish a secure connection before being allowed to start an SMTP transaction.
should I be using smtps
instead of tls-require
? According to Wikipédia, SMTPS is deprecated: https://en.wikipedia.org/wiki/SMTPS.
SMTPS (465) is deprecated, but concern only MTA (server to server exchange). Submission (587) is MSA (user to server exchange) and allow explicit TLS instead of implicit STARTTLS.
OK. I suppose changing tls-require
to smtps
on port 587 should do it (after warning all users about the change). And this way I’ll be able to test in CryptCheck. ;)
https://tls.imirhil.fr/tls ?