On 22/05/2018 15:47, Al Iverson wrote:
Are folks disabling TLS1.0 support in SMTP? Our security team has asked, but I'm a bit concerned about potential failure cases when trying to deliver mail to smaller corporate sites that might be doing stuff like requiring TLS but supporting 1.0 only....is that really much of a concern?
Given that email will drop back to unencrypted if it can't be sent using encryption, being too enthusiastic at disabling encryption protocols/ciphers will probably just mean that messages end up being sent totally unencrypted.
So, is it better to send using a weak encryption or no encryption at all? Unless the weak encryption discloses things like private keys which could compromise the stronger encryption options, then it's usually better to use weak encryption rather than none.
Personally, I'd leave TLS 1.0 enabled unless you're also preventing unencrypted traffic and know you will only be dealing with people where that won't be a problem (eg on an intranet).
-- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop