SMTP
MTA-STS policy
Notes on MTA-STS: - MTA-STS is layered on top of opportunistic STARTTLS on port 25. - MTA-STS is enforced by the sender. - MTA-STS-compliant senders validate the cert, whereas plain opportunistic TLS does not. - MTA-STS forbids falling back to cleartext delivery and forbids ignoring cert errors. - Sender issues EHLO, sees your STARTTLS advertisement, and — because your MTA-STS policy told it to — upgrades to TLS via STARTTLS and refuses to deliver if that upgrade fails or the cert doesn't validate. If the server certificate is not valid or does not match a hostname in my policy's mx list - the sender does not deliver the message. - MTA-STS only affects senders that support MTA-STS. It affect senders that deliver to you via normal MX resolution for your domain. - Direct-to-IP / smarthost / relay-configured senders are not affected by MTA-STS policy. They send straight to your EXIM SMTP 25 port and never look up your domain's MX or fetch your MTA-STS policy, so the policy is irrelevant to them. Whatever they do today (TLS or cleartext) is unchanged.
Exim logs for TLS vs non-TLS: - The key field is P= (protocol) on the <= (message arrival) lines: - P=esmtps / P=smtps → TLS was used (note the trailing s). - P=esmtp / P=smtp → clear text, no STARTTLS. -
# Clear-text arrivals (no trailing "s" on the protocol)
# zgrep -h '<=' /var/log/exim4/mainlog* | grep -Ec ' P=e?smtp '
# TLS arrivals
# zgrep -h '<=' /var/log/exim4/mainlog* | grep -Ec ' P=e?smtps '
# How many distinct clients send clear text
# zgrep -h '<=' /var/log/exim4/mainlog* \
| grep -E ' P=e?smtp ' \
| grep -oE 'H=\([^)]*\) \[[0-9.]+\]|H=[^ ]+ \[[0-9.]+\]' \
| sort | uniq -c | sort -rn