MTA-STS and DANE for SMTP answer the question when must be either encrypted, or
the delivery postponed.
How shall it be encrypted?
Some sites (tools) present information, based on the provided protocols and
ciphers, which browsers will work with a
HTTPS-webserver, and which not. And one can decide, that accepting connections
from IE 8 is not a priority.
But for SMTP there is nothing similar. What matters is, if a weak cipher is
disabled on a mailhost, which sites will
not be able to use STARTTLS with that host. E.g. disabling TLS 1.0 (and SSL 3)
will not allow anymore to encrypt
traffic with @gnu.org .
What happens to MTAs, that are so smart to understand MTA-STS or DANE, but
offer only weak ciphers?
Does somebody offer both EC and RSA certificates on its smtp:25 server and had
this ever caused problems?
Does somebody offer both EC and RSA certificates with DANE on its smtp:25
server and had this ever caused problems?
How much bits shall DH params have to support acceptable amount of mailhosts?
Do too big DH params break some clients?
What elliptic curves shall be offered, so that the communication works with
acceptable amount of hosts?
From which moment there shall be penalties, in terms of sticking to
unencrypted traffic, for mailhosts offering only
weak encryption? Will this happen chaotically, or any advices can be drafted?
ietf-smtp mailing list