Re: [mailop] Disabling TLS 1.0 and 1.1 for MTA to MTA communication

Wed, 03 Aug 2022 13:28:59 -0700

You clearly see what TLS version and what ciphers were used. So you know if 
it was "secure" in your opinion or not.



I don't understand why Firefox did this: 
https://hacks.mozilla.org/2019/05/tls-1-0-and-1-1-removal-update/



Clients can clearly click the lock, check the details, and see which SSL 
version they're using. So if the site says it's secure and it isn't, 
that's on the client. So why is anyone doing this? You guys are replying 
to me like I'm some insane outlier here by suggesting that there's merit 
to a basic security practice of not allowing insecure ciphers/protocols, 
and I'm sitting here staring at my screen saying "How can anyone call 
themselves a professional and seriously argue against that?" Just cards 
on the table here, that's the perspective on this side.



The idea that a mail server operator should be treated as more capable 
and intentional than an end user doesn't take into account how many end 
users are mail server operators.



On 2022-08-03 14:51, Jaroslaw Rafa via mailop wrote:

Dnia  3.08.2022 o godz. 14:28:43 Jarland Donnell via mailop pisze:

> There's nothing that requires you to log a TLS 1.0/1.1 connection as
> being secure. You could choose to log it as if it were plaintext. It's
> likely to be logged with the protocol and cipher information.


What you log it as isn't as important as what the other party logs it 
as.
Sure if it were within spec to be able to return a message that the 
other
MTA logs as "Secure but not really secure" that would be a great 
middle
ground, the problem is that the other MTA accepts it and logs it as 
secure,


Like that?

Aug  3 21:39:57 rafa postfix/smtpd[17973]: Anonymous TLS connection
established from mx.mailop.org[91.132.147.157]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)


You clearly see what TLS version and what ciphers were used. So you 
know if

it was "secure" in your opinion or not.


But take into account that most of these connections log as "Anonymous 
TLS"
which means there is no client certificate presented nor verified. So 
you
don't know whether the client connecting to you really is what it 
claims to
be. MITM is perfectly possible. I would say that in that case the 
quality of

cipher used is less important.

And if you configure your server to *require* remote servers to present

certificates when connecting to port 25, you would probably cut off 
most of

your incoming e-mail.

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop























					Reply via email to