SMTP over TLS, do it or not

After careful deliberation, I propose to my department not to do SMTP over TLS. I am sure I make the right decision. The considerations are as follows:

1. There might be less than 1 % of mail servers globally supporting this function. 

2. There is no standard or recommended practices if self-signed certificates can be allowed in server or client sides. 

3. Equally, there is no standard or recommended practice whether servers should request  clients to present their certificates for authentication. 

4. In the lack of industry practice, network administrators just arbitrarily make their SMTP TLS settings or using the defaults provided by commercial off-the-shelf packages of  security gateways/appliances.   

5. A lot of mail servers which might have operated for many years have outdated CA list. 5. In case of mail delivery failure, it is nearly impossible to conduct trouble-shooting  nor request the other side to amend their settings. 

Opportunistic TLS encryption could only be achieved if there is supporting recommended industry practice

No comments: