Re: [ietf-smtp] Possible cont4ibution to moving forward with RFC5321bis SMTP

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

> On Dec 26, 2019, at 5:03 PM, Keith Moore <moore@network-heretics.com> wrote:
> 
> To me it seems that all of this should be out-of-scope for 5321bis, or that the only mention of this in 5321bis should be to declare such things out-of-scope.   Requiring hop-by-hop encryption would be the most disruptive change in the history of SMTP, I think, far more so than EHLO.

It may well be too soon to *mandate* TLS, but we could perhaps MUST a
RECOMMENDED or a SHOULD for inter-domain relay of email.

Also SUBMIT on 587 is widely encrypted, and, for exampl, last 6 months of
Gmail's stats show north of 90% use of TLS, with a slightly more support
for TLS from client to server (inbound to Gmail) than at the server
(outbound from Gmail):

  https://transparencyreport.google.com/safer-email/overview?encrypt_out=start:1560988800000;end:1577318400000;series:outbound&lu=encrypt_out&encrypt_in=start:1560988800000;end:1577318400000;series:inbound

What's sometimes left unencrypted is:

  1. Submission and relay on "internal" networks, and

  2. A diminishing, but not yet negligible fraction of
     inter-domain relay traffic.

I don't think it would be unreasonable at this point to consider
at least "RECOMMENDED", and perhaps a "SHOULD" for use of STARTTLS
for case "2".

We could perhaps even "RECOMMEND" DANE and/or MTA-STS, but adoption
is much thinner for both[1].

-- 
-- 
	Viktor.
[1]

I see 1.73 million DANE domains, and O(500) domains with MTA-STS DNS records.

DANE presently covers 2-3 orders of magnitude more domains, while MTA-STS
likely covers 1-2 orders of magnitude more users, given the user count of
Gmail vs. comcast.net, web.de, gmx.de, ...).