1st, this is -- for me -- a postix/mail-RELATED security question. But if it's
too general, I'm happy to take it elsewhere; suggestions as to the appropriate
forum, if not here, are welcome.
A 'major financial institution', call 'em "FinCo", sends email to users on my
server that arrives with 'invalid' dkim sig,
dkim=invalid (unsupported algorithm rsa-sha1, 1024-bit rsa key sha1)
Fri Oct 12 16:18:05 2018 authentication_milter_mx[7045]
header.d=FINCO.com header.i=@FINCO.com header.b=xxxxxx
Fri Oct 12 16:18:05 2018 authentication_milter_mx[7045]
header.a=rsa-sha1 header.s=mail-dkim;
and negotiates TLSv1
postfix/postscreen-internal/smtpd[52027]: Anonymous TLS connection
established from mta11.FINCO.com[xx.xx.xx.xx]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
I know that, generally, uses of TLSv1 & sha1 are, at least, fish-slap-worthy --
if not downright fully deprecated.
What I don't know is if, in current practice, either is a concern -- from
viewpoint of general security, standards compliance, etc -- for *MAIL*
security. Namely, DKIM sig and TLS negotation.
What *IS* the current recommendation on these?
IS it time, yet, to block TLSv1 negotation &/or sha1-signed DKIM sigs
in mail flow?
Applying blanket blocks for either, in Postfix setup, is trivial enough. Just
a question for me of wheter it's "safe", or "sensical", to do it.
