localhost

sorting the wheat from the chaff

TLS: too soon to secure your email?

§ Part I: Disbelief

Some time ago I've read about the STARTTLS Everywhere campaign by the EFF. I was immediately sold.

With the precious help of a friend (more knowledgeable than me on the matter), we configured my Postfix as follows:

smtp_enforce_tls = no
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /path/to/letsencrypt/fullchain.pem
smtpd_tls_key_file = /path/to/letsencrypt/privkey.pem
smtpd_tls_received_header = yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 86400s
smtpd_tls_security_level = encrypt  # <--- THIS is the important part!
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 86400s
smtp_tls_security_level = encrypt  # <--- THIS is the important part!
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high

After the changes everything works; so, let's start our experimentation period.

After a while (couple of weeks), as I sent emails from my various account, some mail server started spitting back my emails:

  • tin.it
  • tiscali.it
  • <another_italian_domain_pretty_important_to_me>

The error message I receive is a nice:

Too much, too soon

Two of these emails servers are Italian national providers - not amateurish Postfix installation from your know-it-all friend that plugs printer power cords.

Don't they, right?

§ Part II: Technical support FTW ... or not?

This part will be really short. I've contacted the admin reference suggesting to improve their configuration and - of course - my request was ignored.

Well, not exactly ignored: I could actually hear their laughters thousands kms away.

So, all I could do was relax the configuration I was so proud of and allow a more tolerant communication among SMTP servers:

smtp_tls_security_level = may
# smtp_tls_security_level = encrypt
smtpd_tls_security_level = may
# smtpd_tls_security_level = encrypt

followed by the usual postfix reload.

§ Part III: To add insult to injury

Fun fact! I have an old email account seldom used on one of the above-mentioned internet providers. I meant to use that account outside their country with the same SMTP settings because - well - what could possibly go wrong?

Ouch, *michael* doesn't like emails from evil countries

Although this is described in a support page of that provider, it doesn't make this less awkward.


Comments closed for this article