On Wed, 3 Aug 2022, Sidsel Jensen via mailop wrote:
Hi MailOpsWe were having a discussion on the possibility to disable TLS 1.0 and 1.1 for MTA to MTA communication, and based on the numbers we've seen so far, it doesn't look that far fetched. What's the common consensus in the mail community about this currently? It's already been disabled for our customers towards fx. imap and smtp, and we all agree those pesky old versions should be phased out, sooner rather than later, but have you also disabled it for MTA to MTA communication as well or are you still considering it? And what scenarios are currently holding you back?
I think I see the argument for dropping TLS 1.0 and 1.1 but keeping PLAIN, in that the TLS libraries are simpler, although I suspect that the lean/clean implementations are v1.3 only.
And what about PLAIN - do you still allow that as the fallback option or are you also considering disabling that?
Last time I heard, many sites did not verify the authenticity of the certificate. Has that improved with the rollout of DANE and MTA-STS ? I suspect that there are enough sites that do not yet support both in both directions that interoperability would suffer if this was widely enforced. As I understand it, it is unusual for the server to require an authenticated client certificate. Does that matter to you ? If you subscribe to "No STARTTLS" https://nostarttls.secvuln.info/ and drop PLAIN, you have retired port 25. I believe there are ways to signal that clients should use another port on your server, but I don't remember the details and don't know how well supported they are. I guess that it *is* time to start measuring these things, but there are many cases (mailing lists for one) that do not need encryption, so I do not think most sites should enforce PLAIN. Some sites might however wish to include this when evaluating the reputation of an individual message. Tobias Fiebig commented:
Side note: I recently ran into a security research institute with whom I could not agree on ciphers with the OpenSMTPd default cipher list on my side… their choices were just a tad dusty…
Long ago I has a support ticket from a user visiting a four letter national security centre complaining that he could not ssh to our department.
Translated, the error message we were giving was "your codes are too old". That made my day. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop