Forcing MTA Security


#1

So I had created a different thread about PKI/client-side/data at rest security, but I wanted to ask about more reasonable amounts of security.

I know that horrible mail servers exist where they’re configured to not even be capable of TLS/SSL. I know there’s an option in Postfix to have security as a may, must (or “yes”, I forget), and no. Since humanity hates itself, we still allow security as a may to be acceptable, since we feel sorry for horrible system administrators.

However, I imagine there are many scenarios where sensitive data may need to be sent via email. In which case, I wanted to know if it were possible to have a domain for “may” security (example.com) and another domain for “must” security (secure.example.com), where it would reject any incoming/outgoing insecure MTA-to-MTA communication. Like, I would want to register my Paypal account with me@secure.example.com and maybe put me@example.com on a business card, for the dum dums who still use mail providers that don’t enable security. If a conversation escalated with a person, I would ask that person to start sending mail to secure.example.com or maybe change the reply-to and sent-from fields, so that it could smoothly transition between the two mail accounts (I would probably want to configure my box to manage both accounts using the same inbox/sent/draft/spam/junk stuff).

EDIT: also, is it possible to auto-send back an unencrypted error email, saying something to the effect of “Sorry, but your mail server does not support security. This is a secure mail server. Please either use another mail account on a mail server with enabled security, or contact your mail server administrator about enabling security on your server.” for users who attempt to send mail that don’t allow secure mail?


#2

If you are looking to increase email security, I’d encrypt the emails you send (client plugin!) with GPG/PGP.

Email is, by design, a clear-text transport of information. Try one of these:

Never rely on servers to do your encryption. That’s my best practice. I encrypt where and when I can client side as that is the safest way to do it.


#3

In an ideal world yes, but §GP(G) isn’t always an option. For example sometimes I have to send my personal information as part of a KYC procedure, and most companies don’t bother dealing with encrypted mail. I prefer using e-mail over phone, live chat and such so I’d like to know when I can do that safely.


#4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.