CentOS - Dec 2019 - Forcing TLS for SMTP?

I have a goal of securing email. Updated the company mail server and DNS 
(CentOS 7 + Postfix, otherwise pretty stock) with support for SPF, DKIM, and 
DMARC. So far, all good, and everything "just works". 

Our mail server has supported SMTP / TLS for a long time, but recently I've 
been considering requring TLS all the time. 

Is there anybody here who's done this? Has it caused any particular fallout?
I'm curious about: 

1) Requiring SMTP / TLS for any inbound email. 

2) Requiring SMTP / TLS for any outbound email. 

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.centos.org/pipermail/centos/attachments/20191204/32bd97c6/attachment.sig>

On 04/12/2019 22:03, Lists wrote:
> I have a goal of securing email. Updated the company mail server and DNS
> (CentOS 7 + Postfix, otherwise pretty stock) with support for SPF, DKIM,
and
> DMARC. So far, all good, and everything "just works".
> 
> Our mail server has supported SMTP / TLS for a long time, but recently
I've
> been considering requring TLS all the time.
> 
> Is there anybody here who's done this? Has it caused any particular
fallout?
> I'm curious about:
> 
> 1) Requiring SMTP / TLS for any inbound email.
> 
> 2) Requiring SMTP / TLS for any outbound email.
> 
> Thanks
> 
The obvious consideration is that if the other server does not offer 
tls, the connection will fail and you will not be able to communicate.

Further RFC2487 states that enforcing tls must not be used on public 
facing mail servers.

So if you want to enforce tls to ensure encryption on purely internal 
mail servers, that is fine but your external facing smtp servers must 
not enforce tls.

See the Postfix tls documentation for more information:

http://www.postfix.org/TLS_README.html

See bottom post below.

On Wednesday, December 4, 2019 2:24:51 PM PST Phil Perry
wrote:
> On 04/12/2019 22:03, Lists wrote:
> > I have a goal of securing email. Updated the company mail server and
DNS
> > (CentOS 7 + Postfix, otherwise pretty stock) with support for SPF,
DKIM,
> > and DMARC. So far, all good, and everything "just works".
> > 
> > Our mail server has supported SMTP / TLS for a long time, but recently
> > I've
> > been considering requring TLS all the time.
> > 
> > Is there anybody here who's done this? Has it caused any
particular
> > fallout? I'm curious about:
> > 
> > 1) Requiring SMTP / TLS for any inbound email.
> > 
> > 2) Requiring SMTP / TLS for any outbound email.
> > 
> > Thanks
> 
> The obvious consideration is that if the other server does not offer
> tls, the connection will fail and you will not be able to communicate.
> 
> Further RFC2487 states that enforcing tls must not be used on public
> facing mail servers.
> 
> So if you want to enforce tls to ensure encryption on purely internal
> mail servers, that is fine but your external facing smtp servers must
> not enforce tls.
> 
> See the Postfix tls documentation for more information:
> 
> http://www.postfix.org/TLS_README.html
s there a useful defense against STARTTLS being stripped from unencrypted 
communications? 

https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

Our company sometimes does business in countries hostile to encryption and if 
there's a means to enforce this appropriately, I'd like to implement it.

Seems to me something like a DMARC DNS TXT flag would be appropriate for this. 
smtptls=none|any|required; ? But that's just an idea. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.centos.org/pipermail/centos/attachments/20191204/3fa4a114/attachment-0002.sig>