From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.taht.net (mail.taht.net [176.58.107.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id ABF973CB71 for ; Wed, 27 Jan 2016 13:45:17 -0500 (EST) Received: from dair-1042.lorna-side.hm.taht.net (c-73-252-201-217.hsd1.ca.comcast.net [73.252.201.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.taht.net (Postfix) with ESMTPSA id 2227821110; Wed, 27 Jan 2016 18:45:14 +0000 (UTC) To: Juliusz Chroboczek References: <56A7FE5E.1030401@taht.net> <7imvrrt02y.wl-jch@pps.univ-paris-diderot.fr> Cc: bloat@lists.bufferbloat.net From: =?UTF-8?Q?Dave_T=c3=a4ht?= X-Enigmail-Draft-Status: N1110 Message-ID: <56A910F8.7080809@taht.net> Date: Wed, 27 Jan 2016 10:48:24 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <7imvrrt02y.wl-jch@pps.univ-paris-diderot.fr> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Subject: Re: [Bloat] STARTTLS [was: nearly 5 years of bufferbloat.net] X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jan 2016 18:45:17 -0000 On 1/27/16 9:16 AM, Juliusz Chroboczek wrote: >> http://the-edge.taht.net/post/starttls_considered_helpful/ > > Did you bounce mail when the first MX contacted didn't do STARTTLS, or did > you bounce when none of the MXes for a domain supported it? In other > words, did you treat lack of STARTTLS as a transient or permanent error? Postfix when set to encrypt always treats lack of TLS support on the other exchanger(s) as a transient error, and retries by default for 3 days. Example: Jan 27 17:16:11 mail postfix/smtp[10770]: 801CD21331: to=, relay=brevard.conman.org[elided]:25, delay=67644, delays=67640/0.01/4/0, dsn =4.7.4, status=deferred (TLS is required, but was not offered by host brevard.conman.org[elided]) So this made it safer to temporarily make it mandatory, do email for a few hours, get who failed out of my logs, craft the email to those failing, then relax the defaults for starttls back to "may". google reports that 82% of their outbound email and only 58% of their inbound email is covered by starttls, and there are distinct regional differences... notably, free.fr in your region is not using starttls on inbound at all, it seems. Ton of data at: https://www.google.com/transparencyreport/saferemail/ And sadly, the growth curve for uptake in the past year appears flat.