Skip to content

Require STARTTLS for incoming port 25 connections #684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Require STARTTLS for incoming port 25 connections #684

wants to merge 1 commit into from

Conversation

@link2xt
Copy link
Contributor

@link2xt link2xt commented Oct 20, 2025
edited
Loading

We already require that outgoing connections
use STARTTLS so other servers need a valid TLS
certificate to accept messages from us.
It is then very unlikely that they cannot use TLS
to send messages to us.

Conversely, if they only can send messages to use without TLS, it likely does not have STARTLS on its port 25
and then we don't want to accept messages from them because we will likely not be able to reply.

Closes #681

@link2xt link2xt mentioned this pull request Oct 20, 2025
Open
@link2xt link2xt force-pushed the link2xt/require-incoming-tls branch 2 times, most recently from 2dd822b to 13056b0 Compare October 20, 2025 22:24
@link2xt link2xt marked this pull request as draft October 21, 2025 04:53
@link2xt
Copy link
Contributor Author

link2xt commented Oct 21, 2025

Tests need to stop using plaintext connections.

@link2xt link2xt force-pushed the link2xt/require-incoming-tls branch 2 times, most recently from daee00c to 8562ccc Compare October 23, 2025 01:23
@link2xt
Require STARTTLS for incoming port 25 connections
2e0a8cb 
We already require that outgoing connections
use STARTTLS so other servers need a valid TLS
certificate to accept messages from us.
It is then very unlikely that they cannot use TLS
to send messages to us.

Conversely, if they only can send messages to use without TLS,
it likely does not have STARTLS on its port 25
and then we don't want to accept messages from them
because we will likely not be able to reply.
@link2xt link2xt force-pushed the link2xt/require-incoming-tls branch from 8562ccc to 2e0a8cb Compare October 23, 2025 02:18
@link2xt link2xt marked this pull request as ready for review October 23, 2025 02:32
@link2xt link2xt requested review from hpk42 and missytake and removed request for missytake October 24, 2025 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hpk42 hpk42 Awaiting requested review from hpk42

@missytake missytake Awaiting requested review from missytake

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve Transport Encryption

1 participant

@link2xt