On Tue, 22 May 2018, Al Iverson wrote:
Are folks disabling TLS1.0 support in SMTP? Our security team has
asked, but I'm a bit concerned about potential failure cases when
trying to deliver mail to smaller corporate sites that might be doing
stuff like requiring TLS but supporting 1.0 only....is that really
much of a concern?
As Steve said, disabling TLS 1.0 gives you plain text,
so unless you can reject plain text there is little reason
to reject TLS 1.0.
If you do keep TLS 1.0 for incoming SMTP, check that the certificates
aren't valid for other services - particularly POP, IMAP and webmail -
where you do disable TLS 1.0, just in case a TLS version of DROWN
shows up.
Also, does the MTA check the name in the certificate ?
I understand that not all do (or didn't until recently)
since you can't always determine what the name should be.
--
Andrew C. Aitchison Cambridge, UK
and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
