On 13 January 2017 at 14:35, Alice Wonder <al...@domblogger.net> wrote: > On 01/13/2017 06:30 AM, Bastian Blank wrote: >> >> On Thu, Jan 12, 2017 at 09:00:20PM +0000, Dominic Raferd wrote: >>> >>> I would prefer to disable TLSv1(.0) because it >>> does not pass PCI DSS v3.2 but evidently that is not workable at the >>> moment: >> >> >> Can you explain how PCI DSS applies to mail. Espcially for a public MX, >> which can't use mandatory encryption? >> >> Do you really send payment data via mail? >> >> Regards, >> Bastian >> > > I run a mail server with a public MX that refuses insecure connections. > > Yes it technically breaks the RFC but it also gets far far far far less spam > than any other public MX server I run. Not because spammers don't try, but > because they quite frequently don't try with TLS. > > Public MX servers can use mandatory encryption. It's not like you are going > to be fined for not accepting insecure connections...
We don't send any payment data by email but we did have a separate POS machine at the same location and this had to pass PCI DSS. The online test for this POS machine flagged a 'fail' if we permitted TLS 1.0 on our (separate, but co-located) mail server.