[LINK] Fwd: [PRIVACY] [apfma] AAP: AFP to use DPI to collect email metadata
Jeremy Visser
jeremy at visser.name
Tue Dec 10 20:57:37 AEDT 2013
On 10/12/13 18:06, Kim Holburn wrote:
> Mostly emails end up going between your server and your recipient's
> server in the clear, although that may start to change.
This is called Opportunistic TLS. It's already used by default in
recent versions of Exim and in Microsoft Exchange 2007 and onwards.
It's also easily enabled in Postfix with just a few lines added to
/etc/postfix/main.cf:
smtpd_tls_cert_file=/path/to/cert.pem
smtpd_tls_key_file=/path/to/priv.key
smtpd_use_tls=yes
smtp_tls_security_level = may # offer STARTTLS in EHLO
smtp_tls_note_starttls_offer = yes # extra logging
Yes, Opportunistic TLS is still vulnerable to man-in-the-middle attacks
(e.g. Iran), but then again so is plain text. Rather, Opportunistic TLS
thwarts passive sniffing (e.g. NSA).
Policy maps may be used on a per-domain basis to enforce certificate
verification (either against a known fingerprint, or against certificate
authorities) to thwart man-in-the-middle attacks.
More information about the Link
mailing list