My take would be that for a general service provider, like TPG, you should be as accepting as possible. That would including accepting clear text and TLS 1.0 (although possibly not SSLv3). Any specific sender or recipient can enforce stronger limitations if they choose to do so.
For a provider that has any focus on security it's potentially a different story. In that case enforcing TLS1.2 potentially makes sense, although it the raises the question around what you do with servers that don't support TLS at all, or like TPG at the moment, don't support TLS higher than 1.0 (is cleartext better than TLS1.0?) Then there's the elephant in the room when it comes to SMTP around certificate verification, and if/how you determine your talking to the correct mail server (at which point you have to move the conversation over to things like DNSSEC) Scott On Tue, Jul 24, 2018, 09:48 Paul Wilkins <paulwilkins...@gmail.com> wrote: > Should TLS 1.0 be acceptable? > > I don't claim to be a crypto geek. > > Curiously the ISM standards make TLS 1.2 only advisory: > > > - Control: 1447; Revision: 0; Updated: Apr-15; Applicability: UD, P, > C, S, TS; Compliance: must; Authority: AA > - Agencies *must use TLS*. > - > - Control: 1139; Revision: 3; Updated: Apr-15; Applicability: UD, > P, C, S, TS; Compliance: should; Authority: AA > - Agencies *should use the latest version of TLS* > > Kind regards > > Paul Wilkins > > On 24 July 2018 at 11:10, Scott Howard <sc...@doc.net.au> wrote: > >> On Mon, Jul 23, 2018 at 6:00 PM, Noel Butler <noel.but...@ausics.net> >> wrote: >>> >>> You are the one choosing to use cpanel/plesk, lazy webhost solutions >>> that puts all your customers eggs in the one single basket (though I heard >>> plesk may soon be changing that), sorry, but that is not TPG's fault your >>> chosen hosting software lives in the 90s. >>> >> >> Perhaps not, but it IS TPG's fault that their mail server is only >> supporting encryption algorithms that live in the 90's... >> >> Irrespective of the PCI argument or not, TPG supporting TLS 1.0 but not >> higher in 2018 simply shouldn't be seen as acceptable. >> >> Scott >> >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG@lists.ausnog.net >> http://lists.ausnog.net/mailman/listinfo/ausnog >> >> > _______________________________________________ > AusNOG mailing list > AusNOG@lists.ausnog.net > http://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog