On Wed, Jul 28, 2021 at 04:39:39PM +0200, Josh Good wrote:
> > Subject: Email con TLS inferior a 1.2 / Email with TLS less than 1.2
> >
> > Good Afternoon, We inform you that due to Rhenus security policies,
> > as of 08/01/2021 receiving of emails that do not comply with version
> > 1.2 of the TLS protocol will be restricted. All emails sent in
> > particular to the domain @es.rhenus.com and in general to any Rhenus
> > domain @*.rhenus.com must be sent with the TLS 1.2 protocol or
> > higher. Any mail received without fulfilling this condition will be
> > rejected by our server.
>
> The above could mean that starting 08/01/2021 their TLS support will
> only support TLS 1.2 (and not any earlier TLS version) with their
> inbound SMTP servers remaining configured in "opportunistic TLS" mode
That's my reading of the situation. Someone decided to implement
checklist compliance, disconnected from any sound threat model.
Communication with SMTP clients or remote servers that only support TLS
1.0 will likely be in the clear, b/c that's of course more secure that
TLS 1.0. :-)
Of course one should ensure that all the systems one operates do support
TLS 1.2 and probably also TLS 1.3, but I would as yet recommend
disabling TLS 1.0 in SMTP, there is no compelling reason to do that.
> If the case is the second one, is that a current trend? Has rfc2487
> been obsoleted and mandatory TLS is now considered "industry standard"
> in publicly-referenced SMTP server?
Use of STARTTLS in MTA-to-MTA SMTP is of course recommended, and widely
practiced,
https://transparencyreport.google.com/safer-email/overview
but is not as yet a requirement. Some "elite" operators may choose to
refuse to communicate with the laggards still sending in cleartext, but
that's just a bleeding edge choice, not a protocol requirement.
--
Viktor.
