|
|
|
|
|
|
by bryankeithmoore
3067 days ago
|
|
|
For the case of mail submission, there is a lot of legacy hardware/firmware out there still in use that simply doesn't support TLS, and is mission-critical, and is likely to become obsolete before anyone upgrades it. A lot of that traffic is considered nonsensitive by those who need it so trying to force them to be secure isn't going to go over well. Despite that, RFC 8314 recommends that MSPs deprecate cleartext submission and mail access, but it doesn't specify a timetable because the situations vary too widely from one provider to another. For message relaying, your proposal might indeed work. The vast majority of inter-domain mail traffic goes through a very small number of providers. No mail provider can afford to not be able to exchange mail with gmail, or office365, or ... |
|
|
It is trivial to set up a mail server with TLS and if you don't have fucking TLS bounce it through a protocol upgrade server. If you understood the type of secrets that are getting trivially intercepted you'd realize that a couple hard days for a couple of lazy sys admins is a tiny price to pay for the drastic increase in security.
People are literally getting killed because we're so fucking lazy. Even three letter agencies are sending mail without TLS, this is madness.