From 328f2e2ecf849276b349dcfc73a63370c369914f Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 01:55:07 +0200 Subject: [PATCH] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index d3fdb5e5..5c871ff3 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -78,6 +78,8 @@ When talking about emails, the following applies: As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control! -When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) (`encrypt`) by default and will drop the client unencrypted request :relieved: Eventually it is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. +When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections, but still capable of handling opportunistic TLS. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) (`encrypt`) by default and will drop the client unencrypted request :relieved: + +We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and abides by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). It means clients without support for TLS are not supported by default. Eventually it is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security.