On 13/10/18 14:02, pg...@dev-mail.net wrote: > I may have been unlcear -- it's my server receiving emails from the > errant FinCo, dkim-signed with sha1 sigs. So up to me to determine > if they are 'putting clients at risk' by being lazy about their > security, and blocking their messages. You're presenting two different issues here, let's look at each one separately:
Issue #1 the use of TLSv1.0. Unless I'm mistaken the only actual vulnerability to TLSv1.0 is BEAST, which can be (and likely is) mitigated client-side, so if your version of openssl mitigates BEAST then TLSv1.0 should actually be safe to use as a client. Using it as a server will depend on whether or not the connecting client has mitigated BEAST. That said, when making public connections on port 25, the recommended setting for smtp[d]_tls_security_level is "may", because if you set it to enforce there are still a number of servers that do not support encryption at all that you will not be able to communicate with. So if you were to limit TLS connections to TLSv1.2 and higher then a TLSv1.0 connection will simply fall back to plain text, and then you're left with no encryption at all, so ask yourself which is better, broken encryption, or no encryption and you will see that it's probably best to go ahead and accept TLSv1.0 connections, even from a financial institution. As for SHA1, that is a different matter. Do you accept a DKIM sig signed with SHA1 or not? Personally I would just accept it and not worry about it, but if you're concerned then there are a couple of options. You can treat it as unsigned, and accumulate a SPAM score appropriately, or perhaps you can go part way in-between and give it a lesser SPAM score than an unsigned message but still give it something. Anyways, at the end of the day the choice is up to you, and it comes down to two things to consider: Is it worth blocking mail from a financial institution in order to gain marginally better security? What is the likely hood that a spammer is going to try to brute-force an SHA1 hash collision in order to send out SPAM? Good Luck, Peter
