Anyone aware of email servers that take the approach that CloudFlare has, which is not allow the lowest common denominator or cleartext to be used if there’s a better/more-secure cipher, but still support the old stuff (in CloudFlare’s case, SHA-1) if that’s all it can do?
https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/ I think most would agree it’s better to accept receiving email from Exchange servers using RC4 than clear text, but that we should be aiming for TLSv1.1 or greater. Frank From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Eric Henson Sent: Friday, April 01, 2016 12:07 PM To: mailop@mailop.org Subject: Re: [mailop] Gmail red open padlock composing message http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx Exchange 2003 is out of support. Exchange 2007 support ends 4/11/2017. Exchange 2010 and later best practice is to disable RC4 and SSLv3. I’d say it may be best to leave RC4 enabled until 4/11/2017, but my PCI scanning vendor disagrees. From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Franck Martin via mailop Sent: Friday, April 1, 2016 11:27 AM To: Kirk MacDonald Cc: mailop@mailop.org <mailto:mailop@mailop.org> ; Tim Bray Subject: Re: [mailop] Gmail red open padlock composing message RC4 is a conundrum, it is about the only cypher you can negotiate with old MS-Exchange, so if you disable it, then the email will go in clear text. Which one is better? Clear text or RC4? Or too bad for old mail servers? PFS or Elliptic ciphers are asymmetric in implementation, so you need to check what's negotiated as a sender and as a receiver. Finally it seems some systems do not fall back anymore, if you initiate STARTTLS and can't negotiate it, then you can't send email in clear text. And then look at SMTP STS On Fri, Apr 1, 2016 at 6:00 AM, Kirk MacDonald <kirk.macdon...@corp.eastlink.ca <mailto:kirk.macdon...@corp.eastlink.ca> > wrote: Whoops, I fully intended to audit the available ciphers; clearly I missed doing that. Should be OK now. Tragically, PFS is not (yet) supported on the TLS mechanism I am making use of. I hope to be able to change that in the somewhat near future. -----Original Message----- From: Tim Bray [mailto:t...@kooky.org <mailto:t...@kooky.org> ] Sent: Friday, April 01, 2016 5:58 AM To: Kirk MacDonald <kirk.macdon...@corp.eastlink.ca <mailto:kirk.macdon...@corp.eastlink.ca> >; mailop@mailop.org <mailto:mailop@mailop.org> Subject: Re: [mailop] Gmail red open padlock composing message On 31/03/16 17:38, Kirk MacDonald wrote: > With thanks to Google for pushing the cause, I implemented STARTTLS > functionality on my org’s MX (as well as outbound SMTP with > opportunistic STARTTLS). Firstly - well done for doing it. Everybody should be enabling TLS. Did you test the install? You have TLS, but there are some issues with your setup: https://ssl-tools.net/mailservers/corp.eastlink.ca So you need to disable the RC4 cipher. Everybody suggests it is insecure. Also you don't support the correct ciphers for Perfect Forward Secrecy. I'm not sure whether this affects whether google shows the padlock or not. Best practice is to get it fixed. I think ssl-tools.net <http://ssl-tools.net> is the best test for TLS mailservers. You can test your mail sending as well. For webservers, use https://www.ssllabs.com/ssltest/ to test. There is also a tool to help make good configs at https://mozilla.github.io/server-side-tls/ssl-config-generator/ What I've realised over the last year or so is that SSL/TLS isn't something you can just fiddle with until it works. If you want it secure, across all browsers, it needs some work. https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ is an excellent book. Tim _______________________________________________ mailop mailing list mailop@mailop.org <mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
