Re: dragonfly mail agent (dma) no tls by default
- In reply to: Paul Eskello : "dragonfly mail agent (dma) no tls by default"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 24 Nov 2024 21:45:31 UTC
Hello, >tls (yeah well, starttls) I recommend — in the strongest possible terms — that you NEVER rely on STARTTLS, instead specifying the IMAPS (993) and SMTPS (465) ports and mandating TLS on every connection. 2014: https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks 2021: https://lwn.net/Articles/866481/ Cheers, Alex ---------------------------------------- 2024-11-24T17:32:30Z Paul Eskello <paul.eskello@gmail.com>: > Hi gang (m/f/x), > > Today I accidentally discovered my mailhub did not use tls sending outbound email, for some mail. It turned out my old procmail uses sendmail which is now dma, since I upgraded to freebsd 14. > > I enabled SECURETRANSFER and STARTTLS in /etc/dma.conf. Done. :-) After thinking about it, I presume I missed a HEADS UP, since all is well documented in https://docs.freebsd.org/en/books/handbook/mail/ . I scribbled some lines to my upgrade checklist. > > But then I started to wonder: why is tls (yeah well, starttls) disabled by default? Isn't that too conservative in soon-to-be 2025? > > P