How widely supported is forced TLS on inbound SMTP connections?

Solution 1:

This is a very complicated question given that the mail providers of the world do not readily provide statistics on their mail servers.

Self Diagnosis

To determine the answer to your question based on your own server/domain peers, you could enable SSL logging:

postconf -e \
    smtpd_tls_loglevel = "1" \
    smtpd_tls_security_level = "may"

postconf
postfix reload

This assumes that you save your mail syslog messages for a while. If not, perhaps set up a syslog archiving strategy and write a shell script to summarize the TLS usage on your server. Perhaps there are already script to do this.

Once you are comfortable that all of your peers support TLS and at the cipher and protocol strength that you are willing to enforce, then you can make an informed decision. Every environment is different. There is no one answer that will meet your needs.

My own personal experience

For what it's worth, my own personal mail server enforces TLS. This has a funny side effect of negating most of the spam bots, as most of them do not support TLS. (Up until that change, I was relying on the S25R regexp methodology)

Update

It has been one year since I answered this and the only problems I have had receiving email with TLS forced on was from the front end web servers at Blizzard (parental controls) and Linode's management system. Everyone else I interact with appears to support TLS with strong ciphers just fine.

Corporate Environment

In a corporate environment, I would strongly encourage you to enable TLS logging and leave that running for quite a long time before enforcing TLS. You can always enforce TLS for specific domain names in the tls_policy file.

postconf -d smtp_tls_policy_maps

The postfix site has some great documentation on the usage of tls policy maps. You can at least ensure that specific domains that provide sensitive information are encrypted even if an ISP tries to strip out the TLS support in the initial server connection.