You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by Tellier Benoit <bt...@apache.org> on 2019/11/06 04:42:32 UTC

Require SSL for remote SMTP delivery by default ?

Hi,

Within [2] I do work on documenting how to secure remote delivery with
SSL and startTls.

Matthieu Baechler asks wether we should require encrypted delivery
(startTls / ssl) by default in shipped configuration.

This comes with trust issues, we might end up enabling
mail.smtp.ssl.trust as a wildcard, which is a security hole as well (but
at least traffic will be encrypted).

Note that GMail (which had been reported to reject James traffic [1])
might still need a valid SSL certificate as well.

Finally, underlying such a choice, I want to bring people attention that
we currently have no integration tests on RemoteDelivery SSL / startTls,
and lack the dockerized SSL SMTP servers to add this to the James test
suite. I proposed an issue related to this [3] (contribution
welcolmed!). This should in my optinion be a pre-requisite for this
proposal acceptance.

[1] https://www.mail-archive.com/server-user@james.apache.org/msg16199.html
[2] https://github.com/linagora/james-project/pull/2823
[3] https://issues.apache.org/jira/browse/JAMES-2969

Regards,

Benoit

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org