{"id":4830,"date":"2026-02-08T23:11:14","date_gmt":"2026-02-08T20:11:14","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/e-posta-tasirken-ve-gonderirken-zorunlu-sifreleme-starttls-dane-mta-sts-ve-tls-politikalari-nasil-birlikte-kurulur\/"},"modified":"2026-02-08T23:11:14","modified_gmt":"2026-02-08T20:11:14","slug":"e-posta-tasirken-ve-gonderirken-zorunlu-sifreleme-starttls-dane-mta-sts-ve-tls-politikalari-nasil-birlikte-kurulur","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/e-posta-tasirken-ve-gonderirken-zorunlu-sifreleme-starttls-dane-mta-sts-ve-tls-politikalari-nasil-birlikte-kurulur\/","title":{"rendered":"E\u2011Posta Ta\u015f\u0131rken ve G\u00f6nderirken Zorunlu \u015eifreleme: STARTTLS, DANE, MTA\u2011STS ve TLS Politikalar\u0131 Nas\u0131l Birlikte Kurulur?"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Eposta_sifrelemesini_gercekten_zorunlu_hale_getirmek\"><span class=\"toc_number toc_depth_1\">1<\/span> E\u2011posta \u015fifrelemesini ger\u00e7ekten zorunlu hale getirmek<\/a><\/li><li><a href=\"#SMTP_uzerinden_TLS_nasil_calisir_Temeli_netlestirelim\"><span class=\"toc_number toc_depth_1\">2<\/span> SMTP \u00fczerinden TLS nas\u0131l \u00e7al\u0131\u015f\u0131r? Temeli netle\u015ftirelim<\/a><ul><li><a href=\"#STARTTLS_nedir\"><span class=\"toc_number toc_depth_2\">2.1<\/span> STARTTLS nedir?<\/a><\/li><li><a href=\"#Opportunistic_TLS_vs_zorunlu_TLS\"><span class=\"toc_number toc_depth_2\">2.2<\/span> Opportunistic TLS vs zorunlu TLS<\/a><\/li><\/ul><\/li><li><a href=\"#DANE_ile_DNS_tabanli_TLS_politikasi\"><span class=\"toc_number toc_depth_1\">3<\/span> DANE ile DNS tabanl\u0131 TLS politikas\u0131<\/a><ul><li><a href=\"#DANETLSA_nedir_nasil_calisir\"><span class=\"toc_number toc_depth_2\">3.1<\/span> DANE\/TLSA nedir, nas\u0131l \u00e7al\u0131\u015f\u0131r?<\/a><\/li><li><a href=\"#DANEin_guclu_ve_zayif_yanlari\"><span class=\"toc_number toc_depth_2\">3.2<\/span> DANE\u2019in g\u00fc\u00e7l\u00fc ve zay\u0131f yanlar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#MTASTS_ile_HTTPS_tabanli_TLS_politikasi\"><span class=\"toc_number toc_depth_1\">4<\/span> MTA\u2011STS ile HTTPS tabanl\u0131 TLS politikas\u0131<\/a><ul><li><a href=\"#MTASTS_nasil_calisir\"><span class=\"toc_number toc_depth_2\">4.1<\/span> MTA\u2011STS nas\u0131l \u00e7al\u0131\u015f\u0131r?<\/a><\/li><li><a href=\"#MTASTSnin_guclu_ve_zayif_yanlari\"><span class=\"toc_number toc_depth_2\">4.2<\/span> MTA\u2011STS\u2019nin g\u00fc\u00e7l\u00fc ve zay\u0131f yanlar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Gonderici_tarafta_TLS_policy_haritalari_ornek_Postfix\"><span class=\"toc_number toc_depth_1\">5<\/span> G\u00f6nderici tarafta TLS policy haritalar\u0131 (\u00f6rnek: Postfix)<\/a><ul><li><a href=\"#Postfixte_basit_bir_TLS_policy_ornegi\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Postfix\u2019te basit bir TLS policy \u00f6rne\u011fi<\/a><\/li><\/ul><\/li><li><a href=\"#STARTTLS_DANE_MTASTS_ve_TLS_politikalari_birlikte_nasil_kurgulanir\"><span class=\"toc_number toc_depth_1\">6<\/span> STARTTLS, DANE, MTA\u2011STS ve TLS politikalar\u0131 birlikte nas\u0131l kurgulan\u0131r?<\/a><ul><li><a href=\"#1_Katman_Temel_TLS_hijyeni\"><span class=\"toc_number toc_depth_2\">6.1<\/span> 1. Katman: Temel TLS hijyeni<\/a><\/li><li><a href=\"#2_Katman_Opportunistic_STARTTLS_SPFDKIMDMARC\"><span class=\"toc_number toc_depth_2\">6.2<\/span> 2. Katman: Opportunistic STARTTLS + SPF\/DKIM\/DMARC<\/a><\/li><li><a href=\"#3_Katman_Alici_tarafinda_TLS_politikasi_ilani_DANE_veveya_MTASTS\"><span class=\"toc_number toc_depth_2\">6.3<\/span> 3. Katman: Al\u0131c\u0131 taraf\u0131nda TLS politikas\u0131 ilan\u0131 (DANE ve\/veya MTA\u2011STS)<\/a><\/li><li><a href=\"#4_Katman_Gonderici_tarafta_zorunlu_TLS_policy_haritalari\"><span class=\"toc_number toc_depth_2\">6.4<\/span> 4. Katman: G\u00f6nderici tarafta zorunlu TLS policy haritalar\u0131<\/a><\/li><li><a href=\"#5_Katman_Izleme_ve_raporlama_TLSRPT_log_analizi\"><span class=\"toc_number toc_depth_2\">6.5<\/span> 5. Katman: \u0130zleme ve raporlama (TLS\u2011RPT \/ log analizi)<\/a><\/li><\/ul><\/li><li><a href=\"#Eposta_altyapisini_tasirken_sifrelemeyi_bozmadan_ilerlemek\"><span class=\"toc_number toc_depth_1\">7<\/span> E\u2011posta altyap\u0131s\u0131n\u0131 ta\u015f\u0131rken \u015fifrelemeyi bozmadan ilerlemek<\/a><ul><li><a href=\"#1_Adim_Mevcut_durumu_envanterleyin\"><span class=\"toc_number toc_depth_2\">7.1<\/span> 1. Ad\u0131m: Mevcut durumu envanterleyin<\/a><\/li><li><a href=\"#2_Adim_Yeni_altyapida_TLSi_once_ayaga_kaldirin\"><span class=\"toc_number toc_depth_2\">7.2<\/span> 2. Ad\u0131m: Yeni altyap\u0131da TLS\u2019i \u00f6nce aya\u011fa kald\u0131r\u0131n<\/a><\/li><li><a href=\"#3_Adim_MX_cutoverdan_once_DANEMTASTS_gecis_plani\"><span class=\"toc_number toc_depth_2\">7.3<\/span> 3. Ad\u0131m: MX cutover\u2019dan \u00f6nce DANE\/MTA\u2011STS ge\u00e7i\u015f plan\u0131<\/a><\/li><li><a href=\"#4_Adim_Zorunlu_TLSte_hataya_yer_birakmadan_test\"><span class=\"toc_number toc_depth_2\">7.4<\/span> 4. Ad\u0131m: Zorunlu TLS\u2019te hataya yer b\u0131rakmadan test<\/a><\/li><\/ul><\/li><li><a href=\"#KVKKGDPR_loglar_ve_izleme_tarafi\"><span class=\"toc_number toc_depth_1\">8<\/span> KVKK\/GDPR, loglar ve izleme taraf\u0131<\/a><\/li><li><a href=\"#DCHost_altyapisinda_pratik_bir_senaryo\"><span class=\"toc_number toc_depth_1\">9<\/span> DCHost altyap\u0131s\u0131nda pratik bir senaryo<\/a><\/li><li><a href=\"#Sonuc_Epostada_olursa_iyi_olur_doneminden_ya_TLS_ya_hic_donemine_gecmek\"><span class=\"toc_number toc_depth_1\">10<\/span> Sonu\u00e7: E\u2011postada \u201colursa iyi olur\u201d d\u00f6neminden \u201cya TLS ya hi\u00e7\u201d d\u00f6nemine ge\u00e7mek<\/a><\/li><\/ul><\/div>\n<h2><span id=\"Eposta_sifrelemesini_gercekten_zorunlu_hale_getirmek\">E\u2011posta \u015fifrelemesini ger\u00e7ekten zorunlu hale getirmek<\/span><\/h2>\n<p>Art\u0131k kurumsal e\u2011postay\u0131 \u201cm\u00fcmk\u00fcnse \u015fifreli, olmazsa d\u00fcz metin\u201d mant\u0131\u011f\u0131yla ta\u015f\u0131mak veya g\u00f6ndermek l\u00fcks de\u011fil, ciddi bir risk. KVKK\/GDPR kapsam\u0131nda ki\u015fisel veri i\u00e7eren her e\u2011posta, ta\u015f\u0131ma s\u0131ras\u0131nda \u00fc\u00e7\u00fcnc\u00fc taraflar\u0131n g\u00f6remeyece\u011fi \u015fekilde korunmak zorunda. Buna ra\u011fmen pek \u00e7ok kurumda h\u00e2l\u00e2 sadece varsay\u0131lan <strong>opportunistic STARTTLS<\/strong> (yani \u201colursa g\u00fczel olur\u201d TLS) a\u00e7\u0131k, ancak zorunlu de\u011fil. E\u2011posta altyap\u0131s\u0131n\u0131 yeni bir sa\u011flay\u0131c\u0131ya ta\u015f\u0131rken, yeni bir alan ad\u0131 devreye al\u0131rken ya da kendi SMTP sunucunuzu kurarken, en \u00e7ok atlanan konu bu \u201czorunluluk\u201d katman\u0131.<\/p>\n<p>Bu yaz\u0131da DCHost ekibi olarak, e\u2011postay\u0131 ta\u015f\u0131rken ve g\u00fcnl\u00fck g\u00f6nderimde <strong>STARTTLS, DANE, MTA\u2011STS ve TLS policy (harita) mekanizmalar\u0131n\u0131 birlikte<\/strong> nas\u0131l kurgulayabilece\u011finizi ad\u0131m ad\u0131m ele alaca\u011f\u0131z. Hedefimiz: Al\u0131c\u0131 ve g\u00f6nderici MTA\u2019lar aras\u0131nda <strong>her zaman TLS, do\u011fru sertifika ve do\u011fru hedef sunucu<\/strong> kombinasyonunu garanti alt\u0131na almak. Bunun i\u00e7in DNS, web sunucusu ve MTA yap\u0131land\u0131rmas\u0131n\u0131n nas\u0131l uyumlu \u00e7al\u0131\u015fmas\u0131 gerekti\u011fini; Postfix gibi yayg\u0131n MTA\u2019larda pratik ayar \u00f6rneklerini ve kesintisiz ge\u00e7i\u015f senaryolar\u0131n\u0131 detayl\u0131ca konu\u015faca\u011f\u0131z.<\/p>\n<h2><span id=\"SMTP_uzerinden_TLS_nasil_calisir_Temeli_netlestirelim\">SMTP \u00fczerinden TLS nas\u0131l \u00e7al\u0131\u015f\u0131r? Temeli netle\u015ftirelim<\/span><\/h2>\n<p>\u00d6nce temeli sa\u011flam kural\u0131m; \u00e7\u00fcnk\u00fc DANE veya MTA\u2011STS\u2019ye ge\u00e7ti\u011finizde asl\u0131nda bu altyap\u0131n\u0131n \u00fcst\u00fcne politika katman\u0131 ekliyorsunuz.<\/p>\n<h3><span id=\"STARTTLS_nedir\">STARTTLS nedir?<\/span><\/h3>\n<p>SMTP, tarihsel olarak d\u00fcz metin \u00e7al\u0131\u015fan bir protokol. <strong>STARTTLS<\/strong>, SMTP oturumu ba\u015flad\u0131ktan sonra taraflar\u0131n kar\u015f\u0131l\u0131kl\u0131 anla\u015farak ba\u011flant\u0131y\u0131 TLS\u2019e y\u00fckseltmesini sa\u011flayan komut seti. \u00d6zetle:<\/p>\n<ul>\n<li>\u0130lk ba\u011flant\u0131 d\u00fcz metin ba\u015flar.<\/li>\n<li>Sunucu EHLO yan\u0131t\u0131nda STARTTLS deste\u011fini ilan eder.<\/li>\n<li>\u0130stemci (g\u00f6nderici MTA) STARTTLS komutunu g\u00f6nderir.<\/li>\n<li>TLS el s\u0131k\u0131\u015fmas\u0131 tamamland\u0131ktan sonra SMTP komutlar\u0131 \u015fifreli t\u00fcnelden devam eder.<\/li>\n<\/ul>\n<p>Buradaki kritik ayr\u0131m: <strong>\u00c7o\u011fu MTA, STARTTLS\u2019i \u201copportunistic\u201d modda kullan\u0131r<\/strong>. Yani al\u0131c\u0131 tarafta STARTTLS yoksa veya TLS el s\u0131k\u0131\u015fmas\u0131 ba\u015far\u0131s\u0131z olursa ba\u011flant\u0131y\u0131 yine de <em>\u015fifresiz<\/em> devam ettirir. \u0130\u015fte bu noktada DANE, MTA\u2011STS ve TLS politikalar\u0131 devreye girerek \u201c\u015eifresiz devam etmeyeceksin\u201d diyebilir.<\/p>\n<h3><span id=\"Opportunistic_TLS_vs_zorunlu_TLS\">Opportunistic TLS vs zorunlu TLS<\/span><\/h3>\n<p><strong>Opportunistic TLS<\/strong> yakla\u015f\u0131m\u0131nda g\u00f6nderici MTA, TLS dener; olmazsa \u015fifresiz g\u00f6nderir. Bu, e\u2011postan\u0131n ula\u015fma ihtimalini maksimize eder ama <strong>gizlilik ve b\u00fct\u00fcnl\u00fck garantisi vermez<\/strong>. Araya giren bir sald\u0131rgan STARTTLS ilan\u0131n\u0131 silebilir (STRIP), sahte bir MX\u2019e y\u00f6nlendirme yapabilir veya ge\u00e7ersiz sertifikayla MITM kurabilir.<\/p>\n<p><strong>Zorunlu TLS<\/strong> yakla\u015f\u0131m\u0131nda ise:<\/p>\n<ul>\n<li>Al\u0131c\u0131 alan ad\u0131 i\u00e7in TLS gereklili\u011fi bir politika ile ilan edilir (DANE veya MTA\u2011STS).<\/li>\n<li>G\u00f6nderici MTA, bu alan ad\u0131n\u0131n TLS ve sertifika kurallar\u0131na uymazsa <strong>mesaj\u0131 kesinlikle g\u00f6ndermemelidir<\/strong>.<\/li>\n<li>Sonu\u00e7: E\u2011posta ya \u015fifreli ve do\u011fru hedefe gider ya da hi\u00e7 gitmez. \u201cAras\u0131\u201d yoktur.<\/li>\n<\/ul>\n<p>Bu yaz\u0131 tam olarak bu zorunlu TLS d\u00fcnyas\u0131n\u0131 nas\u0131l kuraca\u011f\u0131n\u0131z\u0131 anlat\u0131yor.<\/p>\n<h2><span id=\"DANE_ile_DNS_tabanli_TLS_politikasi\">DANE ile DNS tabanl\u0131 TLS politikas\u0131<\/span><\/h2>\n<p><strong>DANE (DNS\u2011Based Authentication of Named Entities)<\/strong>, SMTP i\u00e7in en g\u00fc\u00e7l\u00fc ve en teknik TLS zorunluluk mekanizmas\u0131. \u00c7al\u0131\u015fabilmesi i\u00e7in alan ad\u0131n\u0131zda <strong>DNSSEC<\/strong> etkin olmal\u0131; \u00e7\u00fcnk\u00fc DANE, g\u00fcvenilir bir DNS zinciri \u00fczerinden TLSA kay\u0131tlar\u0131n\u0131 do\u011frular.<\/p>\n<h3><span id=\"DANETLSA_nedir_nasil_calisir\">DANE\/TLSA nedir, nas\u0131l \u00e7al\u0131\u015f\u0131r?<\/span><\/h3>\n<p>DANE, SMTP i\u00e7in \u015fu sorular\u0131 DNS \u00fczerinden yan\u0131tlar:<\/p>\n<ul>\n<li>Bu alan ad\u0131n\u0131n MX\u2019i hangi host ve portta?<\/li>\n<li>Bu host i\u00e7in kabul edilebilir TLS sertifikas\u0131 hangisi?<\/li>\n<li>G\u00f6nderici MTA, hangi sertifika t\u00fcr\u00fcn\u00fc beklemeli ve ona g\u00f6re do\u011frulama yapmal\u0131?<\/li>\n<\/ul>\n<p>Bunun i\u00e7in <strong>TLSA<\/strong> adl\u0131 \u00f6zel DNS kay\u0131tlar\u0131 kullan\u0131l\u0131r. \u00d6rnek bir kay\u0131t:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">_25._tcp.mail.ornekdomain.com. IN TLSA 3 1 1 &lt;sha256\u2011sertifika\u2011\u00f6zeti&gt;<\/code><\/pre>\n<p>Burada:<\/p>\n<ul>\n<li><strong>_25._tcp.mail.ornekdomain.com<\/strong>: 25 numaral\u0131 port \u00fczerinden TCP ile ula\u015f\u0131lan mail sunucusu.<\/li>\n<li><strong>3 1 1<\/strong>: TLSA parametreleri (usage, selector, matching type). \u00d6rne\u011fin 3 1 1, <em>DANE\u2011EE, SubjectPublicKeyInfo, SHA\u2011256 hash<\/em> anlam\u0131na gelir.<\/li>\n<li>Son k\u0131s\u0131m: Sertifikan\u0131z\u0131n ya da public key\u2019inizin SHA\u2011256 \u00f6zeti.<\/li>\n<\/ul>\n<p>G\u00f6nderici MTA, DNSSEC ile do\u011frulad\u0131\u011f\u0131 bu kayd\u0131 kullanarak \u015funu der: \u201cBu alan ad\u0131na ait SMTP ba\u011flant\u0131s\u0131nda <strong>yaln\u0131zca bu sertifikaya<\/strong> (veya bu CA zincirine) g\u00fcvenece\u011fim. Sertifika farkl\u0131ysa ya MITM vard\u0131r ya da yanl\u0131\u015f yap\u0131land\u0131rma. Bu durumda mesaj\u0131 <strong>asla \u015fifresiz ya da yanl\u0131\u015f hedefe g\u00f6ndermem<\/strong>.\u201d<\/p>\n<h3><span id=\"DANEin_guclu_ve_zayif_yanlari\">DANE\u2019in g\u00fc\u00e7l\u00fc ve zay\u0131f yanlar\u0131<\/span><\/h3>\n<p>Art\u0131lar\u0131:<\/p>\n<ul>\n<li>Politikay\u0131 DNSSEC ile k\u00f6kten g\u00fcvenli ilan edersiniz; \u00fc\u00e7\u00fcnc\u00fc taraf bir CA\u2019ya veya ayr\u0131 bir HTTPS endpoint\u2019ine ihtiyac\u0131n\u0131z yoktur.<\/li>\n<li>MX kay\u0131tlar\u0131yla birebir entegre \u00e7al\u0131\u015f\u0131r; yanl\u0131\u015f MX\u2019e gitme riskini ciddi bi\u00e7imde azalt\u0131r.<\/li>\n<li>\u201cTaraflar aras\u0131 gizlice anla\u015fma\u201d ihtimalini (MITM\u2019in sahte sertifika sunmas\u0131) b\u00fcy\u00fck \u00f6l\u00e7\u00fcde engeller.<\/li>\n<\/ul>\n<p>Eksi yanlar\u0131:<\/p>\n<ul>\n<li><strong>DNSSEC \u015fart<\/strong>. Her DNS sa\u011flay\u0131c\u0131s\u0131 DNSSEC\u2019i do\u011fru ve kararl\u0131 sunmuyor; operasyonel karma\u015f\u0131kl\u0131k artabiliyor.<\/li>\n<li>G\u00f6nderici MTA\u2019lar\u0131n DANE deste\u011fi h\u00e2l\u00e2 t\u00fcm ekosistemde yayg\u0131n de\u011fil. B\u00fcy\u00fck sa\u011flay\u0131c\u0131lar ve modern MTA\u2019lar destekliyor, ama evrenin tamam\u0131 de\u011fil.<\/li>\n<li>TLSA kay\u0131t y\u00f6netimi dikkat gerektirir; sertifika yenilerken hash g\u00fcncellemeyi unutmamak gerekiyor.<\/li>\n<\/ul>\n<p>Alan ad\u0131n\u0131z i\u00e7in zaten <a href=\"https:\/\/www.dchost.com\/blog\/dnssec-nedir-ne-ise-yarar-alan-adiniz-ve-hostinginiz-icin-adim-adim-dnssec-kurulum-rehberi\/\">DNSSEC\u2019i etkinle\u015ftirdiyseniz<\/a>, DANE eklemek SMTP taraf\u0131nda makul bir sonraki ad\u0131m olur.<\/p>\n<h2><span id=\"MTASTS_ile_HTTPS_tabanli_TLS_politikasi\">MTA\u2011STS ile HTTPS tabanl\u0131 TLS politikas\u0131<\/span><\/h2>\n<p><strong>MTA\u2011STS (SMTP MTA Strict Transport Security)<\/strong>, DNSSEC gerektirmeyen ama HTTPS\u2019e dayanan bir TLS zorunluluk mekanizmas\u0131d\u0131r. Temel fikir, alan ad\u0131n\u0131z i\u00e7in \u201cTLS kullanacaks\u0131n\u0131z ve yaln\u0131zca \u015fu host\u2019lara ba\u011flanacaks\u0131n\u0131z\u201d diyen bir politika dosyas\u0131n\u0131 HTTPS \u00fczerinden imzalatmak.<\/p>\n<h3><span id=\"MTASTS_nasil_calisir\">MTA\u2011STS nas\u0131l \u00e7al\u0131\u015f\u0131r?<\/span><\/h3>\n<p>Bir alan ad\u0131n\u0131 \u00f6rnek alal\u0131m: <code>ornekdomain.com<\/code>. MTA\u2011STS devreye al\u0131n\u0131rken \u00fc\u00e7 bile\u015fen kullan\u0131l\u0131r:<\/p>\n<ol>\n<li>DNS\u2019te TXT kay\u0131t: <code>_mta-sts.ornekdomain.com<\/code><\/li>\n<li>HTTPS endpoint: <code>https:\/\/mta-sts.ornekdomain.com\/.well-known\/mta-sts.txt<\/code><\/li>\n<li>Policy dosyas\u0131: Sunucular, mod, s\u00fcr\u00fcm ve MX desenlerini i\u00e7eren metin dosyas\u0131.<\/li>\n<\/ol>\n<p>\u00d6rnek bir politika dosyas\u0131 \u015f\u00f6yle olabilir:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">version: STSv1\nmode: enforce\nmx: mail1.ornekdomain.com\nmx: mail2.ornekdomain.com\nmax_age: 604800<\/code><\/pre>\n<p>DNS taraf\u0131nda ise:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">_mta-sts.ornekdomain.com. IN TXT &quot;v=STSv1; id=20250208&quot;<\/code><\/pre>\n<p>G\u00f6nderici MTA, al\u0131c\u0131 alan ad\u0131n\u0131n MTA\u2011STS deste\u011fi olup olmad\u0131\u011f\u0131n\u0131 \u00f6nce bu TXT kayd\u0131yla anlar, sonra HTTPS \u00fczerinden politika dosyas\u0131n\u0131 indirir ve \u00f6nbelle\u011fe al\u0131r. <strong>mode: enforce<\/strong> ise \u015funlar\u0131 s\u00f6yler:<\/p>\n<ul>\n<li>Bu alan ad\u0131na e\u2011posta g\u00f6nderirken her zaman TLS kullan\u0131lacak.<\/li>\n<li>MX host\u2019u yaln\u0131zca tan\u0131ml\u0131 desenlerle e\u015fle\u015fiyorsa ge\u00e7erli say\u0131lacak.<\/li>\n<li>Sunulan sertifika, standart CA do\u011frulamas\u0131ndan ge\u00e7meli (taray\u0131c\u0131 TLS\u2019ine benzer).<\/li>\n<\/ul>\n<h3><span id=\"MTASTSnin_guclu_ve_zayif_yanlari\">MTA\u2011STS\u2019nin g\u00fc\u00e7l\u00fc ve zay\u0131f yanlar\u0131<\/span><\/h3>\n<p>Art\u0131lar\u0131:<\/p>\n<ul>\n<li>DNSSEC\u2019e ihtiya\u00e7 duymadan \u00e7ok geni\u015f bir ekosisteme uyum sa\u011flar.<\/li>\n<li>CA tabanl\u0131, taray\u0131c\u0131 benzeri bir TLS g\u00fcven modeli kullan\u0131r; y\u00f6neticilerin kafas\u0131 daha az kar\u0131\u015f\u0131r.<\/li>\n<li>Politikay\u0131 de\u011fi\u015ftirmek g\u00f6rece kolayd\u0131r; <code>id<\/code> parametresi ile s\u00fcr\u00fcm y\u00f6netimi yap\u0131labilir.<\/li>\n<\/ul>\n<p>Eksi yanlar\u0131:<\/p>\n<ul>\n<li>\u0130lk politika alma a\u015famas\u0131nda &#8220;TOFU&#8221; (Trust On First Use) benzeri zay\u0131fl\u0131klar vard\u0131r; ilk indirme s\u0131ras\u0131nda MITM teorik risk ta\u015f\u0131r.<\/li>\n<li>HTTPS endpoint\u2019in kendisi i\u00e7in de do\u011fru SSL\/TLS konfig\u00fcrasyonu ve uptime gerekir.<\/li>\n<li>DNS + HTTPS entegrasyonu, k\u00fc\u00e7\u00fck ekipler i\u00e7in karma\u015f\u0131k gelebilir.<\/li>\n<\/ul>\n<p>MTA\u2011STS, \u00f6zellikle DNSSEC kullan(a)mayan ama TLS\u2019i zorunlu k\u0131lmak isteyen alan adlar\u0131 i\u00e7in olduk\u00e7a pratik. Biz DCHost taraf\u0131nda m\u00fc\u015fterilerimizin alan adlar\u0131 i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/mta-sts-tls-rpt-ve-bimi-nedir-e-posta-guvenligi-ve-marka-gorunurlugu-icin-gelismis-dns-ayarlari\/\">MTA\u2011STS ve TLS\u2011RPT yap\u0131land\u0131rmas\u0131n\u0131<\/a> s\u0131k\u00e7a \u00f6neriyoruz.<\/p>\n<h2><span id=\"Gonderici_tarafta_TLS_policy_haritalari_ornek_Postfix\">G\u00f6nderici tarafta TLS policy haritalar\u0131 (\u00f6rnek: Postfix)<\/span><\/h2>\n<p>DANE ve MTA\u2011STS, al\u0131c\u0131 alan ad\u0131n\u0131n d\u0131\u015f d\u00fcnyaya \u201cBen TLS istiyorum\u201d demesini sa\u011flar. Ancak <strong>g\u00f6nderici MTA\u2019n\u0131n bu iste\u011fe nas\u0131l tepki verece\u011fi<\/strong> de ayr\u0131 bir ayard\u0131r. \u00c7o\u011fu modern MTA, alan ad\u0131 bazl\u0131 <strong>TLS policy map<\/strong> veya <strong>smtp_tls_policy_maps<\/strong> gibi mekanizmalar sunar.<\/p>\n<h3><span id=\"Postfixte_basit_bir_TLS_policy_ornegi\">Postfix\u2019te basit bir TLS policy \u00f6rne\u011fi<\/span><\/h3>\n<p>Postfix kullanan bir <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> veya <a href=\"https:\/\/www.dchost.com\/tr\/fiziksel-sunucu\">dedicated sunucu<\/a>da \u015f\u00f6yle bir yap\u0131land\u0131rma d\u00fc\u015f\u00fcnebiliriz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># main.cf\nsmtp_tls_security_level = may\nsmtp_tls_policy_maps = texthash:\/etc\/postfix\/tls_policy<\/code><\/pre>\n<p><code>\/etc\/postfix\/tls_policy<\/code> dosyas\u0131nda ise:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ornekdomain.com      encrypt\nkritikfirma.com      secure\n*.bankadomain.com    secure match=mx<\/code><\/pre>\n<p>Burada:<\/p>\n<ul>\n<li><strong>encrypt<\/strong>: Bu alan ad\u0131na <em>her zaman TLS<\/em> kullan (ama sertifika do\u011frulamas\u0131nda esnek ol).<\/li>\n<li><strong>secure<\/strong>: Hem TLS zorunlu olsun hem de sertifika do\u011frulamas\u0131 s\u0131k\u0131 olsun.<\/li>\n<li><strong>match=mx<\/strong>: MX kay\u0131tlar\u0131na g\u00f6re host e\u015fle\u015ftirmesi yap.<\/li>\n<\/ul>\n<p>DANE ve MTA\u2011STS devreye girdik\u00e7e Postfix gibi MTA\u2019lar bunlar\u0131 otomatik olarak da de\u011ferlendirebiliyor. Ancak kritik alanlar i\u00e7in manuel policy map tan\u0131mlar\u0131 h\u00e2l\u00e2 olduk\u00e7a de\u011ferli.<\/p>\n<h2><span id=\"STARTTLS_DANE_MTASTS_ve_TLS_politikalari_birlikte_nasil_kurgulanir\">STARTTLS, DANE, MTA\u2011STS ve TLS politikalar\u0131 birlikte nas\u0131l kurgulan\u0131r?<\/span><\/h2>\n<p>\u015eimdi as\u0131l soruya gelelim: Bu mekanizmalar\u0131 birlikte kullan\u0131nca ideal mimari nas\u0131l g\u00f6r\u00fcn\u00fcr? DCHost taraf\u0131nda \u00f6nerdi\u011fimiz katmanl\u0131 model \u015fu:<\/p>\n<h3><span id=\"1_Katman_Temel_TLS_hijyeni\">1. Katman: Temel TLS hijyeni<\/span><\/h3>\n<ul>\n<li>Mail sunucunuzda TLS 1.2 ve TLS 1.3 etkin, zay\u0131f \u015fifre paketleri kapal\u0131 olmal\u0131.<\/li>\n<li>G\u00fcncel bir sertifika zinciri (Let\u2019s Encrypt veya kurumsal SSL) kullanmal\u0131s\u0131n\u0131z.<\/li>\n<li>\u0130sim e\u015fle\u015fmesi do\u011fru olmal\u0131: Sertifikadaki CN\/SAN ile SMTP host ad\u0131n\u0131z (\u00f6rn. <code>mail.ornekdomain.com<\/code>) tutarl\u0131 olsun.<\/li>\n<\/ul>\n<p>Bu ad\u0131mlar\u0131 detayl\u0131 anlatt\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/ssl-tls-protokol-guncellemeleri-modern-https-icin-net-yol-haritasi\/\">SSL\/TLS protokol g\u00fcncellemeleri rehberi<\/a>, web taraf\u0131na odaklansa da ayn\u0131 prensipler SMTP i\u00e7in de ge\u00e7erli.<\/p>\n<h3><span id=\"2_Katman_Opportunistic_STARTTLS_SPFDKIMDMARC\">2. Katman: Opportunistic STARTTLS + SPF\/DKIM\/DMARC<\/span><\/h3>\n<p>Hen\u00fcz DANE\/MTA\u2011STS seviyesine ge\u00e7emeyenler i\u00e7in bile en az\u0131ndan:<\/p>\n<ul>\n<li><strong>STARTTLS<\/strong> zorunlu olmasa bile aktif olmal\u0131,<\/li>\n<li><strong>SPF, DKIM, DMARC<\/strong> d\u00fczg\u00fcn ayarlanmal\u0131,<\/li>\n<li><strong>PTR (rDNS)<\/strong> do\u011fru tan\u0131mlanmal\u0131.<\/li>\n<\/ul>\n<p>Bu a\u015fama i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/spf-dkim-ve-dmarc-nedir-ozel-alan-adi-ile-e-posta-dogrulamasini-cpanel-ve-vpste-sifirdan-kurmak\/\">SPF, DKIM ve DMARC\u2019i s\u0131f\u0131rdan kurma rehberimizi<\/a> ve <a href=\"https:\/\/www.dchost.com\/blog\/ptr-reverse-dns-kaydi-vps-ipniz-icin-dogru-ayar-ve-e-posta-teslimine-etkisi\/\">PTR kayd\u0131 yap\u0131land\u0131rmas\u0131n\u0131 detayland\u0131rd\u0131\u011f\u0131m\u0131z yaz\u0131y\u0131<\/a> mutlaka okuman\u0131z\u0131 \u00f6neririm. \u015eifreleme tek ba\u015f\u0131na yetmez; kimlik do\u011frulama ve itibar y\u00f6netimi de kritik.<\/p>\n<h3><span id=\"3_Katman_Alici_tarafinda_TLS_politikasi_ilani_DANE_veveya_MTASTS\">3. Katman: Al\u0131c\u0131 taraf\u0131nda TLS politikas\u0131 ilan\u0131 (DANE ve\/veya MTA\u2011STS)<\/span><\/h3>\n<p>Al\u0131c\u0131 alan ad\u0131 sahibi olarak iki opsiyonunuz var; ikisini de paralel kullanmak ideal:<\/p>\n<ul>\n<li><strong>DANE + DNSSEC<\/strong>: DNS taraf\u0131nda TLSA kay\u0131tlar\u0131yla sertifika politikan\u0131z\u0131 ilan edin.<\/li>\n<li><strong>MTA\u2011STS<\/strong>: DNS TXT + HTTPS politika dosyas\u0131 ile TLS ve MX desenlerini tan\u0131mlay\u0131n.<\/li>\n<\/ul>\n<p>Bu iki mekanizma birbirini tamamlar. DNSSEC kullanan, teknik ekibi g\u00fc\u00e7l\u00fc organizasyonlarda DANE \u00e7ok iyi \u00e7al\u0131\u015f\u0131yor. DNSSEC\u2019in olmad\u0131\u011f\u0131 veya karma\u015f\u0131k geldi\u011fi senaryolarda MTA\u2011STS, TLS\u2019i zorunlu k\u0131lmak i\u00e7in pratik bir ara\u00e7. Biz DCHost \u00fczerinde y\u00f6netti\u011fimiz alan adlar\u0131nda her iki se\u00e7ene\u011fi de m\u00fc\u015fterinin operasyon seviyesine g\u00f6re birlikte veya ayr\u0131 ayr\u0131 konumland\u0131r\u0131yoruz.<\/p>\n<h3><span id=\"4_Katman_Gonderici_tarafta_zorunlu_TLS_policy_haritalari\">4. Katman: G\u00f6nderici tarafta zorunlu TLS policy haritalar\u0131<\/span><\/h3>\n<p>G\u00f6nderici MTA\u2019n\u0131z (\u00f6rne\u011fin DCHost \u00fczerinde \u00e7al\u0131\u015fan Postfix\u2019li bir VPS) i\u00e7in \u015fu yakla\u015f\u0131m\u0131 uygulayabilirsiniz:<\/p>\n<ul>\n<li>T\u00fcm d\u0131\u015f alanlar i\u00e7in <strong>en az \u201cmay\u201d seviyesinde STARTTLS<\/strong> aktif olsun.<\/li>\n<li>Reg\u00fclasyon kritik alanlar (banka, kamu, sa\u011fl\u0131k, finans) i\u00e7in <strong>encrypt\/secure<\/strong> gibi s\u0131k\u0131 TLS policy tan\u0131mlar\u0131 ekleyin.<\/li>\n<li>DANE veya MTA\u2011STS politikas\u0131 g\u00f6rd\u00fc\u011f\u00fcn\u00fcz alanlar i\u00e7in, MTA\u2019n\u0131z\u0131n bu politikalar\u0131 <strong>hard\u2011fail<\/strong> modunda uygulad\u0131\u011f\u0131ndan emin olun.<\/li>\n<\/ul>\n<p>Sonu\u00e7: Baz\u0131 alanlara e\u2011posta hi\u00e7 g\u00f6nderilmeyebilir (al\u0131c\u0131 taraf yanl\u0131\u015f konfig\u00fcre oldu\u011funda). Fakat bu tercih, <strong>\u015fifresiz veya MITM riskli<\/strong> bir ba\u011flant\u0131ya g\u00f6re \u00e7ok daha g\u00fcvenli ve reg\u00fclasyon dostudur.<\/p>\n<h3><span id=\"5_Katman_Izleme_ve_raporlama_TLSRPT_log_analizi\">5. Katman: \u0130zleme ve raporlama (TLS\u2011RPT \/ log analizi)<\/span><\/h3>\n<p>MTA\u2011STS ile birlikte <strong>TLS\u2011RPT<\/strong> (SMTP TLS Reporting) de devreye al\u0131nabilir. Bu mekanizma, di\u011fer MTA\u2019lar\u0131n sizin alan ad\u0131n\u0131za TLS ile ba\u011flan\u0131rken ya\u015fad\u0131klar\u0131 sorunlar\u0131 raporlamas\u0131n\u0131 sa\u011flar. B\u00f6ylece:<\/p>\n<ul>\n<li>Yanl\u0131\u015f sertifika zinciri,<\/li>\n<li>Hatal\u0131 MX tan\u0131m\u0131,<\/li>\n<li>Uyumsuz protokol\/\u015fifre setleri<\/li>\n<\/ul>\n<p>gibi hatalar\u0131 sahada g\u00f6zlemleyebilirsiniz. Bu ba\u015fl\u0131\u011f\u0131 daha derin i\u015fledi\u011fimiz <a href=\"https:\/\/www.dchost.com\/blog\/mta-sts-tls-rpt-ve-dane-tlsa-ile-smtp-guvenligi-teslim-edilebilirligi-ve-sifrelemeyi-nasil-guclendirirsin\/\">MTA\u2011STS, TLS\u2011RPT ve DANE\/TLSA ile SMTP g\u00fcvenli\u011fini g\u00fc\u00e7lendirme rehberimiz<\/a> bu yaz\u0131n\u0131n do\u011fal tamamlay\u0131c\u0131s\u0131d\u0131r.<\/p>\n<h2><span id=\"Eposta_altyapisini_tasirken_sifrelemeyi_bozmadan_ilerlemek\">E\u2011posta altyap\u0131s\u0131n\u0131 ta\u015f\u0131rken \u015fifrelemeyi bozmadan ilerlemek<\/span><\/h2>\n<p>Teori g\u00fczel ama en \u00e7ok hata <strong>ta\u015f\u0131ma<\/strong> s\u0131ras\u0131nda yap\u0131l\u0131yor. Alan ad\u0131n\u0131z\u0131 veya mail sunucunuzu yeni bir altyap\u0131ya ge\u00e7irirken, TLS taraf\u0131n\u0131 bozmadan (hatta g\u00fc\u00e7lendirerek) nas\u0131l ilerlemelisiniz?<\/p>\n<h3><span id=\"1_Adim_Mevcut_durumu_envanterleyin\">1. Ad\u0131m: Mevcut durumu envanterleyin<\/span><\/h3>\n<p>\u00d6nce \u015funlar\u0131 not edin:<\/p>\n<ul>\n<li>Mevcut MX kay\u0131tlar\u0131 ve TTL de\u011ferleri<\/li>\n<li>Kullan\u0131lan SMTP host adlar\u0131 (\u00f6rn. <code>mail.eski-domain.com<\/code>)<\/li>\n<li>Mevcut sertifika t\u00fcr\u00fc ve kapsam\u0131 (SAN alanlar\u0131, wildcard vs.)<\/li>\n<li>DANE (TLSA), MTA\u2011STS ve TLS\u2011RPT kullan\u0131p kullanmad\u0131\u011f\u0131n\u0131z<\/li>\n<\/ul>\n<p>Bu a\u015famada <a href=\"https:\/\/www.dchost.com\/blog\/e-posta-teslim-edilebilirligi-denetim-listesi-dns-ip-itibari-icerik-ve-loglar\/\">e\u2011posta teslim edilebilirli\u011fi denetim listemizde<\/a> anlatt\u0131\u011f\u0131m\u0131z DNS ve IP itibar\u0131 kontrollerini de paralel y\u00fcr\u00fctmek iyi fikirdir.<\/p>\n<h3><span id=\"2_Adim_Yeni_altyapida_TLSi_once_ayaga_kaldirin\">2. Ad\u0131m: Yeni altyap\u0131da TLS\u2019i \u00f6nce aya\u011fa kald\u0131r\u0131n<\/span><\/h3>\n<p>DCHost \u00fczerinde yeni bir <a href=\"https:\/\/www.dchost.com\/tr\/web-hosting\">payla\u015f\u0131ml\u0131 hosting<\/a>, VPS veya dedicated sunucuya ge\u00e7iyorsan\u0131z:<\/p>\n<ul>\n<li>Yeni SMTP host ad\u0131n\u0131 netle\u015ftirin (\u00f6rn. <code>mail.yeni-domain.com<\/code>).<\/li>\n<li>Bu host i\u00e7in ge\u00e7erli, g\u00fcncel TLS sertifikas\u0131 kurun.<\/li>\n<li>SMTP sunucusunda TLS 1.2\/1.3 ve modern \u015fifre paketlerini etkinle\u015ftirin.<\/li>\n<li>Test i\u00e7in <code>openssl s_client -starttls smtp -crlf -connect mail.yeni-domain.com:587<\/code> gibi komutlarla ba\u011flant\u0131y\u0131 s\u0131nay\u0131n.<\/li>\n<\/ul>\n<h3><span id=\"3_Adim_MX_cutoverdan_once_DANEMTASTS_gecis_plani\">3. Ad\u0131m: MX cutover\u2019dan \u00f6nce DANE\/MTA\u2011STS ge\u00e7i\u015f plan\u0131<\/span><\/h3>\n<p>Mevcutta DANE veya MTA\u2011STS kullan\u0131yorsan\u0131z, MX ge\u00e7i\u015fi yaparken a\u015fa\u011f\u0131daki s\u0131raya dikkat edin:<\/p>\n<ol>\n<li>Yeni MX host\u2019unuzu paralel ekleyin (eskiyi hemen silmeyin).<\/li>\n<li>Yeni host i\u00e7in gerekli TLSA kay\u0131tlar\u0131n\u0131 ekleyin (DNSSEC varsa).<\/li>\n<li>MTA\u2011STS politika dosyan\u0131za yeni MX\u2019i ekleyip <code>id<\/code> de\u011ferini g\u00fcncelleyin.<\/li>\n<li>T\u00fcm bu de\u011fi\u015fiklikler DNS\u2019te yay\u0131ld\u0131ktan ve testler ge\u00e7tikten sonra MX a\u011f\u0131rl\u0131klar\u0131n\u0131 yava\u015f yava\u015f yeni host lehine \u00e7evirin.<\/li>\n<li>Eski host\u2019a gelen son trafi\u011fi izleyip drenaj tamamlan\u0131nca <strong>son<\/strong> MX ve TLSA referanslar\u0131n\u0131 temizleyin.<\/li>\n<\/ol>\n<p>B\u00f6ylece hi\u00e7bir noktada \u201cMX yeni host\u2019u g\u00f6steriyor ama TLS politikas\u0131 eski host\u2019u zorunlu k\u0131l\u0131yor\u201d gibi bir tutars\u0131zl\u0131\u011fa d\u00fc\u015fmezsiniz.<\/p>\n<h3><span id=\"4_Adim_Zorunlu_TLSte_hataya_yer_birakmadan_test\">4. Ad\u0131m: Zorunlu TLS\u2019te hataya yer b\u0131rakmadan test<\/span><\/h3>\n<p>Zorunlu TLS kullanan bir alan ad\u0131 i\u00e7in ta\u015f\u0131madan sonra mutlaka:<\/p>\n<ul>\n<li>Farkl\u0131 d\u0131\u015f sa\u011flay\u0131c\u0131lardan test e\u2011postalar\u0131 g\u00f6nderip TLS oturumlar\u0131n\u0131 loglardan inceleyin.<\/li>\n<li>Online TLS checker ara\u00e7lar\u0131yla SMTP sertifika zincirinizi ve protokol deste\u011finizi do\u011frulay\u0131n.<\/li>\n<li>Hata durumlar\u0131nda <a href=\"https:\/\/www.dchost.com\/blog\/e-posta-hata-kodlarini-anlamak-550-554-421-ve-bounce-mesajlarini-cozmek\/\">550, 554, 421 gibi hata kodlar\u0131n\u0131<\/a> do\u011fru yorumlay\u0131n.<\/li>\n<\/ul>\n<p>DCHost ekibi olarak e\u2011posta altyap\u0131s\u0131n\u0131 bize ta\u015f\u0131yan m\u00fc\u015fterilerde, bu testleri beraber y\u00fcr\u00fct\u00fcp hem TLS \u015fifrelemesini hem de teslim edilebilirli\u011fi birlikte do\u011fruluyoruz.<\/p>\n<h2><span id=\"KVKKGDPR_loglar_ve_izleme_tarafi\">KVKK\/GDPR, loglar ve izleme taraf\u0131<\/span><\/h2>\n<p>Zorunlu TLS yaln\u0131zca teknik bir \u201cg\u00fczel olsun\u201d \u00f6zelli\u011fi de\u011fil, ayn\u0131 zamanda reg\u00fclasyon uyumu a\u00e7\u0131s\u0131ndan da kritik. \u00d6zellikle KVKK, e\u2011postayla aktar\u0131lan ki\u015fisel veriler i\u00e7in <strong>aktar\u0131l\u0131rken \u015fifreleme<\/strong>yi makul ve beklenen bir \u00f6nlem olarak g\u00f6r\u00fcyor.<\/p>\n<p>Bu ba\u011flamda:<\/p>\n<ul>\n<li>SMTP loglar\u0131n\u0131zda <strong>TLS kullan\u0131lan ve kullan\u0131lmayan<\/strong> ba\u011flant\u0131lar\u0131 ay\u0131rt edebilmeli,<\/li>\n<li>M\u00fcmk\u00fcnse TLS\u2011RPT raporlar\u0131n\u0131 toplay\u0131p d\u00fczenli analiz edebilmeli,<\/li>\n<li>\u015e\u00fcpheli sertifika hatalar\u0131n\u0131 veya TLS fallback denemelerini alarmlarla g\u00f6zlemleyebilmelisiniz.<\/li>\n<\/ul>\n<p>Genel log saklama ve anonimle\u015ftirme gereksinimlerini de <a href=\"https:\/\/www.dchost.com\/blog\/hosting-ve-e-posta-altyapisinda-log-saklama-sureleri\/\">hosting ve e\u2011posta altyap\u0131s\u0131nda log saklama s\u00fcreleri<\/a> rehberimizde ayr\u0131nt\u0131l\u0131 olarak anlatt\u0131k; TLS\u2019e \u00f6zel log analizi de bu politikan\u0131n do\u011fal bir par\u00e7as\u0131 olmal\u0131.<\/p>\n<h2><span id=\"DCHost_altyapisinda_pratik_bir_senaryo\">DCHost altyap\u0131s\u0131nda pratik bir senaryo<\/span><\/h2>\n<p>\u00d6rnek bir kurumsal senaryo d\u00fc\u015f\u00fcnelim: Kendi on\u2011premise mail sunucusundan DCHost \u00fczerindeki y\u00f6netilen bir VPS\u2019e ge\u00e7iyorsunuz ve \u015fu hedefleriniz var:<\/p>\n<ul>\n<li>T\u00fcm d\u0131\u015f e\u2011postalar TLS ile \u015fifreli gitsin.<\/li>\n<li>Kurumsal alan ad\u0131n\u0131za gelen e\u2011postalar yaln\u0131zca sizin MX\u2019lerinize ve do\u011fru sertifika ile kabul edilsin.<\/li>\n<li>Ta\u015f\u0131ma s\u0131ras\u0131nda e\u2011posta kesintisi minimum olsun.<\/li>\n<\/ul>\n<p>Biz bu tip projelerde tipik olarak \u015fu ad\u0131mlar\u0131 izliyoruz:<\/p>\n<ol>\n<li>DCHost VPS \u00fczerinde Postfix + Dovecot altyap\u0131s\u0131n\u0131 TLS 1.2\/1.3 ve modern \u015fifre setleriyle kurmak.<\/li>\n<li>Alan ad\u0131 i\u00e7in SPF, DKIM, DMARC ve PTR yap\u0131land\u0131rmas\u0131n\u0131 <strong>ta\u015f\u0131ma \u00f6ncesi<\/strong> haz\u0131r hale getirmek.<\/li>\n<li>DANE isteniyorsa DNSSEC\u2019i etkinle\u015ftirip TLSA kay\u0131tlar\u0131n\u0131 planlamak.<\/li>\n<li>MTA\u2011STS ve TLS\u2011RPT\u2019yi devreye al\u0131p, <code>mode: testing<\/code> ile birka\u00e7 g\u00fcn g\u00f6zlem yapmak, ard\u0131ndan <code>mode: enforce<\/code>\u2019a almak.<\/li>\n<li>MX cutover\u2019\u0131 TTL\u2019leri d\u00fc\u015f\u00fcrerek ve kademeli a\u011f\u0131rl\u0131k de\u011fi\u015fimi ile ger\u00e7ekle\u015ftirmek.<\/li>\n<li>Son olarak, DCHost \u00fczerindeki outbound Postfix\u2019te kritik alanlar i\u00e7in TLS policy haritalar\u0131n\u0131 tan\u0131mlamak.<\/li>\n<\/ol>\n<p>Bu sayede ta\u015f\u0131ma tamamland\u0131\u011f\u0131nda yaln\u0131zca daha h\u0131zl\u0131 veya daha stabil bir altyap\u0131ya ge\u00e7mi\u015f olmuyor; ayn\u0131 zamanda e\u2011posta \u015fifreleme ve kimlik do\u011frulama seviyeniz de ciddi \u015fekilde y\u00fckselmi\u015f oluyor.<\/p>\n<h2><span id=\"Sonuc_Epostada_olursa_iyi_olur_doneminden_ya_TLS_ya_hic_donemine_gecmek\">Sonu\u00e7: E\u2011postada \u201colursa iyi olur\u201d d\u00f6neminden \u201cya TLS ya hi\u00e7\u201d d\u00f6nemine ge\u00e7mek<\/span><\/h2>\n<p>E\u2011posta altyap\u0131s\u0131nda \u015fifrelemeyi ger\u00e7ekten ciddiye almak istiyorsan\u0131z, sadece STARTTLS\u2019i a\u00e7mak yeterli de\u011fil. <strong>DANE, MTA\u2011STS, TLS policy map\u2019leri, SPF\/DKIM\/DMARC ve PTR<\/strong> gibi bile\u015fenleri birlikte kurgulad\u0131\u011f\u0131n\u0131zda, ortaya hem teknik olarak g\u00fc\u00e7l\u00fc hem de reg\u00fclasyonlara uyumlu bir mimari \u00e7\u0131k\u0131yor. \u00d6zellikle altyap\u0131 ta\u015f\u0131ma d\u00f6nemleri, bu d\u00f6n\u00fc\u015f\u00fcm\u00fc yapmak i\u00e7in en uygun zamanlar; zaten MX, DNS ve sertifika taraf\u0131na dokunuyorsunuz.<\/p>\n<p>DCHost olarak ister payla\u015f\u0131ml\u0131 hosting, ister VPS, dedicated veya colocation altyap\u0131s\u0131 kullan\u0131n; e\u2011posta taraf\u0131nda zorunlu TLS, DANE ve MTA\u2011STS kurgusunu sizinle birlikte planlay\u0131p uygulayabiliyoruz. Mevcut e\u2011posta trafi\u011finizi ve DNS kay\u0131tlar\u0131n\u0131z\u0131 analiz ederek, ad\u0131m ad\u0131m bir ge\u00e7i\u015f plan\u0131 \u00e7\u0131karal\u0131m; hem kesintiyi minimumda tutal\u0131m hem de e\u2011postalar\u0131n\u0131z\u0131n art\u0131k <strong>ya \u015fifreli ya da hi\u00e7<\/strong> g\u00f6nderilece\u011fi, g\u00fcvenli bir d\u00fcnyaya birlikte ge\u00e7elim.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 E\u2011posta \u015fifrelemesini ger\u00e7ekten zorunlu hale getirmek2 SMTP \u00fczerinden TLS nas\u0131l \u00e7al\u0131\u015f\u0131r? Temeli netle\u015ftirelim2.1 STARTTLS nedir?2.2 Opportunistic TLS vs zorunlu TLS3 DANE ile DNS tabanl\u0131 TLS politikas\u01313.1 DANE\/TLSA nedir, nas\u0131l \u00e7al\u0131\u015f\u0131r?3.2 DANE\u2019in g\u00fc\u00e7l\u00fc ve zay\u0131f yanlar\u01314 MTA\u2011STS ile HTTPS tabanl\u0131 TLS politikas\u01314.1 MTA\u2011STS nas\u0131l \u00e7al\u0131\u015f\u0131r?4.2 MTA\u2011STS\u2019nin g\u00fc\u00e7l\u00fc ve zay\u0131f yanlar\u01315 G\u00f6nderici tarafta TLS policy haritalar\u0131 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4831,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-4830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=4830"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4830\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/4831"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=4830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=4830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=4830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}