On Wed, 3 Aug 2022, Sidsel Jensen via mailop wrote:
Hi MailOps
We were having a discussion on the possibility to disable TLS 1.0
and 1.1 for MTA to MTA communication, and based on the numbers we've
seen so far, it doesn't look that far fetched.
What's the common consensus in the mail community about this currently?
It's already been disabled for our customers towards fx. imap and
smtp, and we all agree those pesky old versions should be phased
out, sooner rather than later, but have you also disabled it for MTA
to MTA communication as well or are you still considering it? And
what scenarios are currently holding you back?
I think I see the argument for dropping TLS 1.0 and 1.1 but keeping PLAIN,
in that the TLS libraries are simpler, although I suspect that
the lean/clean implementations are v1.3 only.
And what about PLAIN - do you still allow that as the fallback
option or are you also considering disabling that?
Last time I heard, many sites did not verify the authenticity of the
certificate. Has that improved with the rollout of DANE and MTA-STS ?
I suspect that there are enough sites that do not yet support both in
both directions that interoperability would suffer if this was widely
enforced.
As I understand it, it is unusual for the server to require an
authenticated client certificate. Does that matter to you ?
If you subscribe to "No STARTTLS" https://nostarttls.secvuln.info/
and drop PLAIN, you have retired port 25. I believe there are ways
to signal that clients should use another port on your server,
but I don't remember the details and don't know how well supported they are.
I guess that it *is* time to start measuring these things, but there
are many cases (mailing lists for one) that do not need encryption, so
I do not think most sites should enforce PLAIN.
Some sites might however wish to include this when evaluating
the reputation of an individual message.
Tobias Fiebig commented:
Side note: I recently ran into a security research institute with
whom I could not agree on ciphers with the OpenSMTPd default cipher
list on my side… their choices were just a tad dusty…
Long ago I has a support ticket from a user visiting a four letter
national security centre complaining that he could not ssh to our department.
Translated, the error message we were giving was "your codes are too old".
That made my day.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
