TLSRPT comes to Open Source

My talk will introduce you to TLSRPT and it will show you how to configure Postfix to send TLSRPT datagrams to a TLSRPT report service. TLSRPT is to TLS security what DMARC is to anti-phishing: it allows you not only to establish standards like STARTTLS, MTA-STS or DANE for secure message transport, but to verify via reports those security levels are being uphold.

It allows a sender platform to inform receiving platforms how often a TLS connection from the sender to the recipient had been successful and if not why. It is a major improvement over self-monitoring your MTA service, because it creates - in contrast to self-monitoring - a world-wide view how others „see“ your platform. It allows e.g. to make areas in the network visible, where TLS fails, to investigate and ideally to fix the problem in order to keep communication secure.

Previously the capability to create and send TLSRPT reports had been limited to a few major platforms running their own or a commercial MTA. This will change early 2025. The Postfix MTA will be the first Open Source MTA to implement functionality that permits to send TLSRPT-relevant DATA to a TLSRPT report service. The service will collect the DATA, create a report and pass it on to an MTA for delivery or submit it directly via HTTP.

Postfix’ new feature is the result of a collaborative effort between Wietse Venema, the creator of Postfix, and my company sys4 as we want to foster TLSRPT (also because it hinders German providers to qualify to become BSI approved „Secure E-Mail Platforms“).

We created an Open Source low-level C-library that can be used by any MTA - not only Postfix - and the service required to create TLSRPT reports. Both can be downloaded at github. And we hope many other Open Source projects will use the library and the service to implement TLSRPT reporting in their MTA.