On 11/30/18 6:18 PM, Paul Wise wrote:
I've experienced spammers brute-forcing SMTP submission credentials and using that to send spam before, so I think that mitigating that using client-side TLS certs should be required, just as we do for SSH access to Debian machines. I'm not sure how many MUAs support that but MTAs do so using a local MTA to forward messages could be a reasonablish workaround.
That honestly sounds like building a parallel system with at least as much complexity as gpg, just to prevent a largely non-existent problem (forged emails — the whole thread has been about its possible, but no reports of it happening). Of course, gpg is also a better (from a security standpoint) and more widely-supported solution. Which is already deployed in Debian.
Though, for the record, it appears both Mutt and Thunderbird support TLS client certificates.
Or you could just require strong passwords :-/