On Wed, Jul 28, 2021 at 04:39:39PM +0200, Josh Good wrote: > > Subject: Email con TLS inferior a 1.2 / Email with TLS less than 1.2 > > > > Good Afternoon, We inform you that due to Rhenus security policies, > > as of 08/01/2021 receiving of emails that do not comply with version > > 1.2 of the TLS protocol will be restricted. All emails sent in > > particular to the domain @es.rhenus.com and in general to any Rhenus > > domain @*.rhenus.com must be sent with the TLS 1.2 protocol or > > higher. Any mail received without fulfilling this condition will be > > rejected by our server. > > The above could mean that starting 08/01/2021 their TLS support will > only support TLS 1.2 (and not any earlier TLS version) with their > inbound SMTP servers remaining configured in "opportunistic TLS" mode
That's my reading of the situation. Someone decided to implement checklist compliance, disconnected from any sound threat model. Communication with SMTP clients or remote servers that only support TLS 1.0 will likely be in the clear, b/c that's of course more secure that TLS 1.0. :-) Of course one should ensure that all the systems one operates do support TLS 1.2 and probably also TLS 1.3, but I would as yet recommend disabling TLS 1.0 in SMTP, there is no compelling reason to do that. > If the case is the second one, is that a current trend? Has rfc2487 > been obsoleted and mandatory TLS is now considered "industry standard" > in publicly-referenced SMTP server? Use of STARTTLS in MTA-to-MTA SMTP is of course recommended, and widely practiced, https://transparencyreport.google.com/safer-email/overview but is not as yet a requirement. Some "elite" operators may choose to refuse to communicate with the laggards still sending in cleartext, but that's just a bleeding edge choice, not a protocol requirement. -- Viktor.