Indeed, many sysadmins of the time lauded qmail's lack of supporting "standard features" in the name of "security" which sadly was still a new concept on the Internet.
Something to consider: SMTP over TLS offers some privacy and confidentiality between two mail servers that have established a trust relationship, but it offers no protection against an upstream network (who can simply fake some DNS records and get a letsencrypt certificate) or a state actor (who simply threatens the CA). I think referring to "SMTP over TLS" as "secure" is dangerous because it leads us to equate "more code" as providing security.
I find it discouraging that it's almost 2018 and this function of E-mail has not been made standard in all clients yet.
I understand the concerns about trust, but why not make trust the extra step for now, and make encryption the standard. And in time we can standardize trust as well. (I know it's pretty standard already but I'm thinking about 'the average user')
"Well I can't trust the source so why bother with encryption" is what we have presently, and that's just ridiculous.
"What's your email address" is about 90-120 bits of information -- a long way from the 2000-5000 bits that are in a public key. I figure if we solve this problem then we can make encrypting email the norm.
[1]: https://www.tenable.com/plugins/index.php?view=single&id=102...
Indeed, many sysadmins of the time lauded qmail's lack of supporting "standard features" in the name of "security" which sadly was still a new concept on the Internet.
Something to consider: SMTP over TLS offers some privacy and confidentiality between two mail servers that have established a trust relationship, but it offers no protection against an upstream network (who can simply fake some DNS records and get a letsencrypt certificate) or a state actor (who simply threatens the CA). I think referring to "SMTP over TLS" as "secure" is dangerous because it leads us to equate "more code" as providing security.