Its for the MTA (message transfer agent) (server to server) traffic on port 25.
postfix discourages it. Quote Postfix Configuration Parameters
This security level is not an appropriate default for systems delivering mail to the Internet.
I haven’t found any security blogs / advice setting postfix
on search engines. Whonix.org would be the first one to do this.
There are two cases:
- A) third-party servers that receive e-mails to whonix.org that harden their security
- B) those that don’t.
In case of A), outgoing e-mail TLS encryption is already enforced through MTA-STS or DANE.
In case of B), well, if the servers that receive e-mails from whonix.org don’t care about MTA-STS or DANE we might be able to force them to use TLS by switching that setting.
E-mail security generally is awful anyhow. A supported stronger patch so to speak is OpenPGP - Kicksecure.
- This is only about the whonix.org server for sending e-mails to users, probably for forums/wiki account/notifications.
- This isn’t about the Whonix software.
- Whonix is not and does not aspire to become an e-mail service that offers services to users.
- Sending e-mail from whonix.org is only a very auxiliary project activity that I’ve assigned a very low priority given all other development work.
- Private Communications Policy
For sending e-mails, compatibility is more important than transport layer security because incoming e-mails might have legal importance (when replying to a legal request that is hopefully never coming). Also users attempting to sign-up using some new temporary / throw-away / passwordless / no sign-up required e-mail service might not receive their sign-up e-mail and not even receive a notification why that is happening. Also this issue would be difficult to debug, only by keeping e-mail logs and investigating these if a user manages to report the issue using a functional e-mail address somehow.
For these reasons, I won’t implement this.
I think this has better reasonable cause to keep the encryption “may” specially when forums/wiki… registrations included.
(Although its very bizarre nowadays to have someone using old and insecure email server setup on his machine)