As I manage my own mail server with postfix, I was curious to see how many connecting mail server do not use best practise and drop their mail without transport encryption. In the end I was possible to create my own list of shame of domains.
First it is important that postfix supports TLS encryption. There are a lot of good guides on the web.
Then you need to ensure that the correct logging is enabled in /etc/postfix/main.cf:
smtpd_tls_loglevel = 1
Now you can have a look at your logs for example with this cool tool: postfix-logwatch.
But for my list of shame I needed to write a new script:
#! /bin/bash
logpath="/var/log/messages*" # Adapt to your needs
ignoreDomain="test.org" # for example your local domain
yesTLS=$(zegrep -A1 'smtpd.*: connect from' $logpath | grep -v 'smtpd.*: connect from' | grep -v '\-\-' | grep 'Anonymous TLS connection established' | wc -l)
noTLS=$(zegrep -A1 'smtpd.*: connect from' $logpath | grep -v 'smtpd.*: connect from' | grep -v '\-\-' | grep 'smtpd.*: client=' | wc -l)
NoTLSwoMe=$(zegrep -A1 'smtpd.*: connect from' $logpath | grep -v 'smtpd.*: connect from' | grep -v '\-\-' | grep 'smtpd.*: client=' | grep -v $ignoreDomain | wc -l)
echo "List of Shame:"
zegrep -A1 'smtpd.*: connect from' $logpath | grep -v 'smtpd.*: connect from' | grep -v '\-\-' | grep 'smtpd.*: client=' | grep -v $ignoreDomain | sed 's/.*client=\(.*\)\(\[.*\)/\1\t\t\2/' |sort | uniq -c |sort
echo "-----------------------------------------"
echo -e "Connections with TLS:\t\t\t" $yesTLS
echo -e "Connections wo TLS - incl. local:\t" $noTLS
echo -e "Connection wo TLS - remote:\t\t" $NoTLSwoMe
echo -e $(echo 100*$NoTLSwoMe/$yesTLS| bc)"% of the remote connections dont use TLS"
The script should work without to much modification on any postfix installation.
It is kind of depressing to see how many big domains ignore transport encryption. But with this script I found already two mail servers which just had configuration errors.